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Preface 






The purpose of this study was to design a multi- 
level secure local aetwork for the IKS. Air Forced 
Electronic Security Command at Kelly Air Force Base, 
Texas. The resulting design was modeled with all 
traffic encrypted for secure point-to-point communica- 
tions implementing a packet-switching s tore-and-f orwar d 
scheme over a dual loop ring topology using frequency 
division multiplexed fiber optics* To analytically 
validate the design, Jackson’s Theorem was applied to 
a simplified version of the model. The results were 
encouraging. To further evaluate the model, a simulation 
of the streamlined model was attempted on a microcomputer 
with 64K RAM. The language used for the simulation 
was PASCAL. Even though it appears to be feasible to 
validate a network model on a microcomputer, it was 
determined that this approach needs further research. 
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access control: 1) network - strategy used to 

capture the network’s transmission medium; 

2) security - the process and procedures used 
to restrict entry into the system only to 
those who are authorized; these procedures 
implement the relevant discretionary and non- 
discretionary security policies 

application node: for this thesis, a node, designated 

by an "A", which will respond to a job request 
from another node 

available: a system that is operational and can 

provide service; an available system is 
characterized by long mean-time-between-failures 
and short t iroe- 1 o-r epa i r , it is usually fault 
tolerant 

backbone: the interconnection of interface message 

processors (IMPs); refer to topology 

broadcast: a communication architecture with the 

following characteristics: 1) a single 

communication channel is shared by all IMPs; 

2) all messages transmitted over the channel 
are received by all IMPs; 3) every message 
contains information to tell the IMPs if the 
message is for it, if it isn’t it is ignored 



block: 1) refer to packet; 2) "blocking** occurs 

when a message arrives from outside the system 
but cannot enter a node due to lack of buffer 
space 



bulk data traffic: traffic composed of messages of 
more than 100,000 bits or, traffic which is not 
bur r t y 

bursty traffic: traffic composed of messages of 

short duration; for this thesis, bursty 
messages will not exceed 16334 bits in length 
(excluding transmission overhead) 
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communication node: for this thesis, a node, 

designated by a H C M , which can only generate 
job requests; the M C ,f nodes are gateways 
frotn/to other networks 



CRC code: cyclic redundancy code, a polynomial 

checksum scheme which is used for the detection 
of transmission errors; for more information 
refer to Tannenbaum 1 s Computer Networks 



data base transfer traffic: for this thesis, 

messages which have a length of at least 
100,000 bits 
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discretionary/non-discretionary security procedures: 

1) discretionary security access procedures 
implement H need-to-know M protection that are 
established and may be changed by the 
organization which has cognizant authority over 
the resource to be accessed; 

2) non-discret ionary security access procedures 
implement mandatory access controls that 
require all users to be cleared to a security 
level and compartment equal to or exceeding the 
c lass if ica t ion of the resource being accessed 

error: a conditon that arises because of incorrect 

bits in a message as detected by a cyclic 
redundancy checksum (CRC) 

encryption: a method useful for protection of data 

that must be transmitted over media that 
cannot be protected against unauthorized 
monitoring; two types of encryption: a) link: 

implies encryption and decryption by each 
network processor, is used for data flowing 
over a specific physical path (link); b) end- 
to-end: the message is enciphered once at the 

source and deciphered only at the final 
destination (LAN 83: 87) 

fault: a condition that arises when a link is 

inoperable or a node fails 



xi 






fault tolerant: a fault in one component does not 

bring the system to a halt; through redundancy in 
critical components and/or through the isolation 
of a fault to limiting the loss of service to a 
small fraction of the whole, a fault tolerant 
system displays "graceful degradation" 

flexibility: that characteristic which permits 

growth and extension in functional 
capabilities, in number of nodes, and in 
geographic coverage 

host: the computer system connected to an IMP or node 

IMP: interface message processor; the basic 

communication component in a node, a 
communication support computer 

interoperability: that characteristic which is the 

ability to communicate across different networks 

intruder: an unauthorized agent or entity 

multi-level secure network: for this thesis, a 

network which supports concurrent /s imul taneous 
transmission of different security 
levels/categories; a multi-level secure network 
does not imply that the operating systems of 
hosts attached to its nodes are multi-level 
secure, each node’s hosts may be operated at 
dedicated, system high, compar tmen ted , and/or 
multiple secure levels 

multiplexing: the process of achieving simultaneous 

transmissions of distinct signals over one 
channel of communication; there are two basic 
techniques: (1) frequency division and 2) time 

division (THO 71: 11-14) 

node: an IMP and the equ ipmen t / ma ch ine s connected 

to it; for this thesis, only one host is 
associated with each node 
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packet: a data transfer unit which is exchanged 

between nodes* one or more units make up a 
complete message; for this thesis* each packet 
will have a fixed length of 102,400 ( 100K) bits', 
this length includes holding up to 100,000 bits 
of data plus 2,400 bits of header and trailer 
information 

point-to-point: also known as M s tore-and-f orward" , 

this is a communication technique whereby a 
message or packet is sent from one IMP to its 
destination IMP; when the source and 
destination IMPs are not directly adjacent or 
connected to one another, the transmission is 
via one or more intermediate IMPs, at each 
intermediate IMP the message is received in its 
entirety and temporarily stored there until it 
can be transmitted "forward" towards its final 
destination 

protocol: the rules and conventions used to control 

network functions; logical abstractions of the 
physical process of communication; protocols 
perform three tasks: a) establish standard data 

elements, b) establish conventions, c) establish 
standard communications paths (MCQ 78: 1); refer 

to Figure 11-2 for the seven layer ISO reference 
model 

reliability: a) that characteristic which refers to 

the freedom from loss of service due to random 
failures in the equipment or facilities 
(STO 80: 1472-1473), often referred to as 

"a va i 1 ab il i t y " ; b) freedom from random 
transmission errors 

security reference monitor: a set of trusted 

hard v; are and software that establishes and 
enforces network security access controls to 
include all discretionary and non-discret ionary 
policies and provide complete mediation 

SLN: secure local network 
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survivability : that characteristic which is the 

ability to survive enemy actions; to Stoveri 
the three aspects of monitorabil ity , self- 
diagnosis, and maintainability are related to 
survivability (STO 80: 1241-1242) 

switching methods: techniques used to affect how 

different users share the transmission medium 
(refer to Table 11-3) 

TCP/IP: Transmission Control Protocol /Internetwork 

Protocol; developed on the ARPANET, the • 

protocol set adopted by the USAF as standard 
for all networks; refer to DOD 82, USAF 82, 
and USAF 83 sources for more information 

topology: the physical layout of a network; there 

are two levels: 1) backbone - the inter- 

connection of IMPs; 2) local access - the 
interconnection of hosts, terminals, and 
peripherals to a specific IMP 

trusted: a component comprised of hardware and/or 

software that can be relied on to enforce the 
relevant security policy; a " 'trusted 
computing base’ is . the totality of 
protecting mechanisms within a ... system 
... the combination of which are responsible 
for enforcing a security policy." (LAN 83: 88); 
a trusted component is correct (i.e., it 
operates according to its specifications) and 
incorruptible (i.e., it cannot be modified by 
an intruder) (NES 83: 1059) 
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This research sponsored by the USAF’s HQ ESC/AD 
develops a multilevel secure host-to-host computer 
local area network* The design process is presented. 
The resulting network uses a ring topology with 
packetized point-to-point switching over fiber optics 
communication links. For transmission security, 
packets are source hos t-to-dest inat ion host encrypted 
as well as encapsulated with link-to-link encryption. 
Message transmission is controlled with message 
acknowledgements and credits within a non-preemptive 
three priority class queue. A simplified version of 
the resulting network was validated by applying 
Jackson’s Theorem. Additionally, the simplified view 
was modeled with a PASCAL simulation program executed 
on a 64K microcomputer. Unfortunately, the comparison 
of the simulation against the analytical results that 
were obtained using Jackson’s Theorem was not possible 
due to problems modeling the network on the micro- 
computer. Follow-on work in the area of simulation is 
needed to successfully complete the simulation and 
compare results* 
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Chapter I: Introduction 



Overview . 

General Requirements . This thesis was sponsored by 
the-U.S. Air Force 1 © Electronic Security Command at 
Kelly A.F.B., Texas (HQ ESC/AD Bldg 2000 San Antonio, TX 
78243), It develops a multi-level secure host-to-host 
local computer network model. Mr. Hoelscher (Chief, 
Executive System Software Branch and Technical Advisor, 
Directorate of Systems Technology) served as the point 
of contact at HQ ESC/AD. He provided the constraints 
and requirements which influenced the network’s design 
(HOE 82 ; HOE 83) . 

There were two major ESC requirements that had to 
be met for a successful design. The first one was that 
the network had to efficiently process traffic that 
would be primarily bulk in nature. 

The .second major requirement was the most important 
and restrictive; the network had to be secure and 
provide concurrent multi-level security. The security 
aspects were pervasive because the network was required 
to receive, transmit, and process classified and 
compartmentalized information that, if compromised. 
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could damage national security. 

Additionally, the resulting model had to be - 
verified. A simplified version of the model was 
analytically evaluated by applying Jackson's Theorem. 
Additionally, a limited simulation written in PASCAL was 
attempted on the streamlined model. The simulation vac 
executed on a 64K microcomputer. Unfortunately, this 
part of the verification was not completed to form a 
part of the model's analysis. 

These issues were refined during the development of 
the thesis. But the dominant requirement throughout the 
design process was security. 

Multi-level security requirements and the 
protocols and architecture required to support them 
are areas that have received increased interest as 
illustrated by the bibliography of this thesis. The 
many favorable characteristics of computer networks have 
been well documented by authors such as Booth, the 
Dennings, Donaldson, Kent, Kline, Kuo, Popek, Stelte, 
Tanenbaum, Tropper, and Weitzman. However, primarily 
due to a fear of compromise, the military has not taken 
full advantage of computer networks (STI 80: 1472). 
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Recently, with the advent of applications such as 
electronic fund transfers, security problems have been 
receiving greater scrutiny by the business and academic 
communities (KEN 76: 8; KON 81: 761; KUO 81: xi; TAN 
81b: 480)* Many experts feel that even with safeguards 
such as access controls, flow controls, data encryption, 
and inference controls, '‘absolute** security is 
impossible (DEN 79: 227-228, 246; POP 79: 355). But 
what degree of security is attainable? 

Organizat ion . Prior to performing any analysis 
which would lead to a model for a secure network, an 
approach was required. A series of principles were 
reviewed and those deemed appropriate were adopted. 

These principles formed the foundation of the 
methodology that was adopted to develop the network. 

This methodology is covered in Chapter I. 

The next chapter is a discussion of some of the 
major constraints and requirements that apply to the 
model, those of security. The final section of the 
second chapter presents several safeguards and 
assumptions on the model's security and its environment. 

The third chapter discusses how and why this 
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particular model was developed. It describes in detail 
the design process. The decisions made concerning 
topology, network control* and protocols are presented 
her-e with the ever present influence of security. 
Whenever possible, while examining the model's various 
features* comparisons arc made among the advantages and 
disadvantages of other network designs. 

In the fourth chapter, the analysis and verification 
are discussed. The simplifying assumptions and the 
results of applying Jackson's Theorem are analyzed. 

The final chapter presents conclusions, 
recommendations, and further areas of study generated by 
this thesis. 



Methodology 

Background . The methodology adopted tor this study 
rests on two distinct but related sets of principles. 

The overriding set of principles are security related. 
However, the network could not be developed strictly 
with security in view if it was to perform any useful 
applications with any reasonable degree of efficiency. 
Therefore, the overall approach was to develop a network 
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with the additional principles of simplicity, and. 
reliability. The goal was a network which was as simple 
as possible (to ease implementation, review, 
maintenance, and future growth) and as available (fault 
tolerant, vith long mean-t ime-be tween-f a ilures , and with 
short time-to-repair ) as possible while not over 
complicating the design aspects which would make it 
impossible to provide adequate security. 

The principles followed to analyze, develop, 
and maintain security were adapted from Dr. Stephen B. 
Kent’s "Protocols and Techniques for Data 
Communication Networks". Kent delineates eight 
specific principles of design. 

Ke nt ’ s Pr incip l es . Kent’s first principle is 
probably the most important. The design should be 
simple. A simple design simplifies the tasks of 
implementation, verification, and maintenance. 

The next two principles, that of fail-safe 
defaults and of complete mediation, are constraints 
that help attain a secure system. These principles 
are directed not at exclusion (or "why not" permit 
access) but at "why" should access by allowed. This 
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positive approach constrains the set of who may 
access the system and its resources in a manner 
which permits greater restriction and hence less 
chance of an intruder penetrating through oversight. 
Thus, access will only be permitted if specifically, 
instead of tacitly, granted. The default will be to 
deny access. In this manner, the person seeking access 
must go through some human (security officer) control 
prior to the system getting his "name" in the system's 
access roster. Therefore, all users are required to 
comply with non-discret ionary (mandatory) security rules 
which serve as an overall barrier to the intruder. But 
discretionary control should also be provided. This 
control can be specified at the option of the user who 
can further constrain what he does for a particular 
application, session, and/or transaction (AME 83a: 13). 

With users conscientiously applying discretionary 
security rules, unnecessary security risks are avoided. 

The fourth principle is not widely accepted by 
the military. It is the principle of open design. 

The argument against an open design is that "a 
secret design may have the additional advantage of 
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significantly raising the price of penetration, 
especially the risk of detection**. But Kent argues 
that an open design is easier to review since there 
is no need to hide safeguards which should remain 
secret in a closed design (KEN 81b: 372). However, in 
light of the sensitivity of national security 
requirements, a closed design should be followed. 

Separation of privilege and of least privilege 
are the fifth and sixth principles. These 
principles help limit damage from penetration. They 
enforce least access, ensure **need-to-know*', and add 
the safeguard of multiple keys for access to any 
given level. Any security violation should have a 
limited scope of potential compromise/damage. Not 
only should there be separate access rosters for 
different security classifications, but each 
security classification should be compartmentalized 
to deny complete access to that level in case of 
penetration. This compartmental izat ion is created 
through separate rosters, passwords, and even 
hardware safeguards which will act as bulwarks and will 
not allow complete access to a level when one section 
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has been penetrated. This need to limit damage is 
further emphasized in the seventh principle. 

The seventh principle is that of least common 

mechanism. By keeping to the very minimum 
% 

mechanisms which are in common throughout the 
system* penetration can be more readily localized 
and subversion of the entire system is less likely 
to occur. This entails the use of separate rosters 
and different passwords for each system resource* as 
well as the use of other physical, software* hardware, 
and human safeguards to secure components of the system 
from a potential intrusion (the use of discretionary 
controls helps accomplish this endeavor). Thus rosters 
cannot be accessed by the same password and different 
passwords and security profiles are required for 
different resources located in separate physical 
locations (like vaults) to which access is restricted to 
different sets of users. 

Because of these principles* different 
authorizations or permissions are required to access 
different components and compartments. By requiring an 
audit trail that tracks location of user, passvord(s). 
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location of resource(s) required, and time of 
sy e tem/r esource call and release, a system can be 
Implemented with multiple crosschecks which will reveal 
where a penetration has occurred, what has been subject 
to compromise, and the extent of the compromise. 

Knowing what has been compromised is a major goal in a 
security conscious environment. 

Finally, the last principle is that of 
psychological acceptability. User friendliness is a 
concept often overlooked. But a safeguard which can 
not be easily and routinely used is often ignored. 

What is the use of passwords if the user has them 
written on a piece of paper in his wallet because 
they are so many and so long? This results in the 
elimination of a barrier for a potential intruder. 
Whenever and wherever possible, the safeguards and 
countermeasures should be automatic and should use 
only trusted system components. 

The Approach . The approach taken to apply this 
methodology was to first read about networks and 
then analyze network designs in light of Kent’s 
principles. The works of Clark, Kuo, McQuillan, 
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Tanenbauo, Thurber and Trcppcr were the roost applicable 
during the initial stages of this study. Acceptable 
designs were: earmarked for further comparison during 
which additional constraints caused by the environment 
wt*e applied. Once the choices were narrowed to a few 
general options, a comparison of their respective 
advantages and disadvantages was made using tables 
derived from the previously mentioned sources (as well 
as from the works of Agrawala, Bux, Habara, Homayoun, 
Ikeda, Penney, Popek, Kent, Stillman, Stover, and Wolf) 
which summarized these characteristics. From these 
tables a choice of topology, network access controls, 
and protocols was made bearing in mind the need for 
simplicity and reliability. 

The chosen options (discussed in Chapter III) were 
t !; t n combined into a design which could meet the desired 
characteristics for the secure network. It was then 
necessary to validate this design. To do so, Jackcon’s 
Theorem was applied to a simplified version of the model 
as a check. Then an attempt was made to perform a 
PASCAL simulation on a 64K RAM microcomputer of the 
streamlined model. This was done to achieve greater 
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confidence in the results end, also, to investigate how 
a network validation could be performed on a 
micr ocomput er • This, unfortunately, was not completed 
as part of this thesis. The choice of machine and the 
choice of language caused problems which were not 
resolved by the completion of this research. Thus, 
verification of the model was by way of Jackson’s 
Theorem and only for a simplified version of it. 

Before an analysis was feasible, a design was 
required. But what must the network to be designed 
safeguard against? An overview of security requirements 
is presented in the next chapter. 
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Chapter II: Security 



Security Requirements : An Overview . 

T he Environment * The environment in which a 
network oust operate constrains the topological 
options available for implementation. Additional 
restrictions occur when the network must be a secure 
local network (SLN) . 

According to Coviello and Lebow, "the essential 
distinctions** between military and non-military 
applications “can be summed up with the single 
catch-phrase ’survivability’** (COV 80: 1441). The 
military environment can range from peacetime to 
nuclear warfare. But many systems need not 
safeguard against all the conditions of the entire 
range of possibilities nor may they be able to do so. 

For example, this thesis’s particular SLN is not 
expected to withstand overt physical attack. But 
survivability is possible only for a specific set of 
threats (COV 80: 1441)* so what are the set of threats 

to be met by this thesis’s SLN? 

Safeguards, Threats, and SLN Characteristics . The 
spectrum of safeguards and related threats which any SLN 
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should be able to survive are covered, among others, by 
Kent* Popek, and Stillman* The cited work of these 
authors does not cover the threat of war* Since the 
SLN developed for this thesis is not expected to survive 
in wartime, the safeguards and threats presented by them 
apply to the model* Unf ort unately , not one of them 
gives a definite way of implementing any of these 
safeguards • 

In pages 778-779 of his article “Security 
Requirements and Protocols for a Broadcast Scenario*’, 
Kent lists five major security requirements to counter 
potential threats. The first requirement is the need to 
prevent unauthorized release of message text. Then 
there is the need to prevent (or disrupt) traffic 
analysis by potential intruders. Wiretapping is one way 
that intruders can attempt to get the information they 
should be denied. Therefore, the need to safeguard 
against both active and passive wiretapping is critical. 
(Passive wiretapping is merely the listening of traffic 
without attempting to modify the transmission stream. 
Active wiretapping includes the insertion and/or 
deletion of traffic to modify the transmission stream.) 
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Kent also presents the need to verify message 
authenticity, integrity, and ordering as the fourth 
requirement. It is closely related to the need to 
prevent message stream modification, message deletion, 
and spurious or intentional message insertion (the fifth 
requirement ) . 

Popek end Kline present many of the sane 
requirements (POP 79: 332-334). They also mention 
the need to safeguard against the tapping of lines 
and the introduction of spurious messages. 

Additionally, they mention that safeguards are 
needed to prevent retransmission of a previously 
transmitted and acknowledged valid message and to 
detect and/or prevent disruption (or blockage) by 
malicious (intruder /interloper) acts or system 
failure (s) . 

The military's view of the threats is presented 
by Stillman and Defiore (STI 80: 1472-1473) who are 

technical advisors to the Air Force (USA f /SI). They 
reiterate the need to prevent unauthorized access to 
classified information, the need to assure 
information integrity, and the need to counter 
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wiretapping and analysis of traffic flow. Also they 
expand upon the need to guard against unauthorized 
access to physical facilities and communication 
links and against subversion by unauthorized users 
and authorized users not in their authorized "area". 
Furthermore* they present the need to protect the 
availability of resources for authorized use in 
three operational environments: routine, high 

traffic stress* and degraded operations which 
includes protection of authorized users from each 
other . 

Stover presents safeguards and threats in a 
different way by defining six characteristics that 
any military SLN should have (STO 80: 1241-1242). These 
characteristics are desireable and pertinent to this 
SLN, too. They were used in helping reject options in 
Chapter 111. 

The first characteristic is that of survivability 
which Stover defines as the ability of the digital 
communications function to survive enemy actions. Stover 
presents the three related aspects of survivability: 
mon i t or ab i 1 i t y , self-diagnosis, and maintainability. To 
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Stover, monit orabll ity , self-diagnosis, and 
maintainability mean that the network must be tolerant 
of failures; that failures must be detected, isolated, 
temporarily accommodated by operational procedures 
(which should be automatic whenever possible); and that 
failures must be repairable. 

The second characteristic, reliability, refers 
to the freedom from loss of service due to random 
failures in the equipment or facilities, i.e. network 
operation ideally should not depend on the continued 
operation of any particular node or transmission 
link. A reliable system is dependable. 

The next two characteristics, accuracy and 
stability, are related. Accuracy and stability 
refer to timing (message synchronization) and 
timing contributes to error detection and 
identification as well as to reliability. The key 
concept here is that the sending and receiving nodes 
agree when to send and expect messages and how these 
messages are being relayed. For example, if a 
message is expected and none is received in some 
given amount of time (a tolerance factor), then it 
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Is safe to assume that some error has occurred. At 
this time , some error handling protocol gains 
control of the processing. As the percentage of 
errors that occur and are not detected decreases, 
the system reliability increases. 

Flexibility is that characteristic which 
permits growth and extension in functional 
capabilities, in number of nodes, and/or geography. 

By their nature, networks tend to have the 
flexibility of incremental growth (BOO 81: 6-31; KUO 
81: ix-xi; TAN 81a: 3-5). 

The last characteristic is that of 
interoperability. Interfaces with other digital 
communication systems should be f ac i 1 i t a t ed *by 
having a timing which assures that the buffers will 
not have to be reset more frequently than at some 
acceptable rate. 

Another aspect of interoperability is the 
ability to communicate across different networks. 
Connectively between networks is usually made over nodes 
that are called gateways. (Gateways convert from one 
protocol to another (TAN 81a: 354). Value-added 
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gateways are gateways that also do some additional 
processing (like filtering traffic by security level, 
encryption/decryption processing, or guard functions); 
ESC’s gateways are all value-added gateways.) An 
additional means of achieving internetworking is to 
force a common protocol set among all networks for 
purposes of homogeneity. 

In any case, not all of these safeguards, threats, 
and characteristics are applicable to this model. The 
next section shows the relationships of the above 
concepts to the SLN model developed. It addresses the 
assumptions made and the physical constraints which 
define the network’s many requirements. 

Model’s Security Assumptions and Safeguards . 

Physical Security . Without physical security, no 
other security safeguard is effective (WOO 81: 70). The 
SLN designed in this thesis will have guaranteed 
physical security. It will be located in a secure 
building which has active and passive safeguards. All 
the re sour c e s /hardware will be in rooms that will be 



further secured within the building. Furthermore, all 
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equipment , as well as the transmission lines, will be 
sheathed to shield against electromagnetic emanations 
which would permit eavesdropping. Access controls at 
each node will insure against the possibility of someone 
at one node illegally accessing resources at another 
node . 

A More Secure Transmission Medium . There are two 
major choices for transmission medium for this 
network, coaxial cable and fiber optics. A comparison 
of the security characteristics of these two media 
f ollows . 

If the transmission medium chosen were fiber optics 
instead of coaxial cable, tapping would be more 
difficult (WOO 81: 70). Also, because the media will be 
physically sec-ire, another critical security advantage 
of fiber optics over coaxial cable is found in the realm 
f'f electromagnetic radiation. Unlike coaxial cable, 
electromagnetic impairments are nonexistent in 
transmissions over fiber optics medium (CLA 81: 23; HOM 

80: 980-981; KEN 83). Finally, encryption techniques 
can be applied with fiber optics just as well as with 
coaxial cable (WOO 81: 73). 
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Because of the above taentioned characteristics 



fiber optics is a more secure transmission medium and 
worth any additional expense. Tabic III-4 (on page 50) 
summarises the characteristics of both media. 

Encryption: Advantages and Disadvantages . 

Simmons (SIM 79: 314) and Popek (POP 79: 332-333, 335- 
336, 338) consider encryption to be the only way to 
send information over unsecure media and the best way 
to improve security and message integrity. Wood 
states that "cryptography is the only cost-effective 
control 11 against many threats and is essential for the 
maintenance of message integrity (DAV 81: 155, WOO 81: 

71). 

Simmons also argues that encryption helps 
provide secrecy and integrity. But Simmons warns that 
it is not perfect and is best used in authentication 
(SIM 79: 314, 322). Popek and Kline also recommend the 
use of encryption for authentication (POP 79: 336); but 
they categorically state that it does not provide 
protection against inadvertent or intentional 
modification of data (POP 79: 338). (The use of checksum 

techniques can provide a modicum of protection in this 



20 




area (RUS 83).) 



Therefore, encryption Is but one control, not a 
panacea, and Is useless without physical protection (WOO 
81: 70). But it helps achieve secrecy /conf identiality 
(i.e. protects data and the eource and/or sink from 
disclosure), it preserves data integrity, and it allows 
for the introduction of enciphered signals to conceal 
message length and frequency statistics which are 
critical for traffic analysis (LAN 83: 87, WOO 81: 71). 
Wood emphasizes end-to-end rather than less secure and 
more expensive link-to-link encryption. But the use of 
both methods simultaneously does add an additional 
degree of security. Wood also believes that encryption 
is vital because it can provide message, user, and 
process authentication and validation assuring integrity 
of transactions (WOO 81: 74). 

Kent states that encryption (and all other 
security requirements and tasks) can cause 
unacceptable overhead that adversely impacts upon 
network performance (KEN 81a: 785; also supported by RUS 
83: 55-57); but it is the most effective countermeasure 

(KEN 83; LAN 83: 87; SEA 83: 54-58). Furthermore, these 
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adverse effects can in part be offset by high speed 
communication links (KEN 81a: 785). 

Encryption will be the primary means to maintain 
security within the network. It is a good way to 
protect against alteration of message contents and 
message insertion; and it preserves data and 
transaction integrity (LAN 83; NES 83; POP 79; SIM 79; 
WOO 81). 

Mod el's Encryption . Stillman's advice on 
encryption is "rather than attempting to separate 
multi-level users by monitoring and controlling data 
accesses, end-to-end encryption attempts to disguise 
the data at the source, maintain them in 
unintelligible form all along the communications 
path, and decrypt them only at the destination" (ST1 
80: 1473-1474). This advice is followed in the 
model. All transmissions over the network are 
encrypted twice. But, agreeing with Stillman (and 
Rushby and Randell) that security often rests on the 
secrecy of the key rather than the algorithm, this 
thesis will not have algorithm selection nor key 
distribution techniques within its scope. 
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In this model , there are two levels of 




encryption which combine link and end-to-end (in this, 
case source host c ompu te r- t o-f ina 1 destination host 
computer) techniques* The inner level is 
undecipherable to all nodes except the one to which 
the message vac addressed (i.e* a separate key for 
each pair of source and destination nodes conforming to 
end-to-end encryption). Furthermore, a distinct and 
different key is used to encrypt each message* The 
outer level of encryption is link-to-link and uses 
another key (which is unique for each channel and is 
changed periodically) known to all physically connected 
pairs of nodes which will contain, along with othw-r 
information, the message destination. The safeguards 
and protocols associated with proper message handling 
are discussed in Chapter III. 

Miscellaneous Issues * All issues pertaining to key 
management (i*e* generation, distribution, and control), 
which were assumed trusted, were beyond the scope of 
this thesis. Remote key generation and distribution was 
assumed available through trusted components. Also 
beyond the scope were the interfaces between the SLN 
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and any other network. Therefore, security of the 
communication links into the net from areas outside of 
the building was assumed adequate. Access was in 
accordance to the principles delineated by Kent and 
reiterated by Ames. All three factors presented by 
Downey for access control (which he defines as 
clearance /classification , compartments! ization, and 
need-t o-know) were considered (SCH 73: IV-25-26). But 
all these safeguards were not within the scope of this 
thesis . 

Summary . 

The security of the network will be established 
on four key points. First and foremost, because without 
it no security is possible, physical security will be 
assumed. Then, all equipment used will be sheathed as 
required to protect against electromagnetic emanations. 
Next, all transmissions will be source host computer-to- 
final destination computer encrypted with message unique 
keys as well as encapsulated within link-to-link 
encryption which uses different keys for each channel 
which are periodically changed. Finally, Kent f s and 
Downey’s security access principles will be assumed 
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Implemented on trusted systems. 

The next chapter presents a detailed discussion 
of the model and how it was designed bearing in mind the 
security constraints elaborated on in this chapter. 
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Chapter III: The Model 
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This is a tuodel of a local hos t-to-hos t computer 
network which will be used to support distributed 
processing and will concurrently support two different 
levels of security classifications. Security 
requirements will be considered at each step. 

Additional requirements which the design should meet are 
that the resulting model portray a network: 1) that is 

maintainable, 2) that is fault tolerant, 3) whose 
arrival and service rates can be varied, and 4) whose 
traffic, the composition of which can also be varied, 
can be limited to database transfers (which will be at 
least 30 percent of the traffic) and "bursty" 
interactive work primarily associated with distributed 
processing. "Bursty" traffic is defined as messages of 
less than 16334 bits, (It was determined that up to 50 
-- but not more than 80 -- percent of the bursty traffic 
would consist of a single screenful of data, this was 
calculated to be less than 16K bits (HOE 83). The 
database transfers are messages averaging 100,000 bits. 
Database transfers will range between 100.000 and 
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900*000 bits. As specified by ESC/AD* the network will 
consist of seven nodes; three of the nodes will be 
communication nodes providing connectivity to different 
external long haul networks and four of the nodes will 
be application nodes. 

This chapter discusses how and why this 
particular model was developed. It addresses itself 
to decisions concerning the topology* the network 
control, and the protocols. At each step, all 
pertinent information, especially relevant security 
considerations, and the options available are presented 
along with the decisions made. It concludes with a 
summary of the model. 

Topology . 

When developing a local network, one of the 
first decisions involves the choice of backbone 
topology. (This thesis does not include a discus- 
sion of the local access topological design since 
the research was directed to a host-to-host network. 

The connection of the hosts, terminals, and peripherals 
to interface message processors (IMPs) is not within the 



scope of this thesis. It is assumed that the nodal 
hosts are connected to a peripheral local area network 
or that the peripherals are directly connected to their 
nodal host.) This decision is affected by such issues 
as topological simplicity, ease of implementation, 
message transmission control, fault tolerance and 
reliability characteristics, and the work the network is 
expected to perform. In this particular case, the issue 
of security considerations could be and were relegated to 
the protocols, but they permeated the selection process 
of topology, too. 

There are three basic topologies applicable to 
the backbone of a local network to choose from: the 

star, the ring, and the web (CLA 81: 19-20). These 
topologies are shown in Figure 1II-1. It should be 
noted that the same topologies are often known under 
different names. These aliases are presented in Table 
111-1 (page 32) after a discussion of each of the three 



basic categories. 
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c) WEB 



Figure 1 1 1 — 1 . Topologies: a) Star b) Ring c) Web 

Star Network . The star network is a simple 
structure. Unlike an uncontrolled topology, the 
star eliminates the need for each node receiving a 
message to make a routing decision to forward the 
information by centralizing all message decisions in 
one node (BAS 1: 366; CLA 81: 19-20; HAB 60: 964- 

963; PEN 79: 166; STA 80: 63). 

While this centralization seems at first to be 
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an excellent way to maintain security over all 
traffic; it provides potential availability problems 
if, for example, the central node fails (CLA 81: 

21). A standby redundant control node configuration 
could overcome this problem. But in any case, the 
central node could become a bottleneck for traffic (HAB 
80: 965) and it presents to the intruder a tempting 
target at which to disrupt the entire system. 

Ring and web topologies attempt to overcome the 
star network’s vulnerability by eliminating the central 
node without completely sacrificing simplicity (CLA 81: 
19-20; TRO 81 : 7-11). 

Ring Network . In ring topology, we find 
messages going from node to node along und irec t iona 1 
links until it arrives to its destination. Since 
each node only has to recognize if the message 
has arrived at its final destination or else 
transmit it to the next node in the line, routing 
decisions are kept to a minimum (WIL 80: 507). 

But single loop rings suffer from poor fault 
tolerance (TRO 81: 53; WOL 81: 149). .Fortunately, 

this problem can be overcome with multiple loops 
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(PEN 79: 171-172, 228; TRO 81: 53, 73-74; WOL 81: 

150). 

Web Network . The web is characterized by 
having all processing elements attached to a common 
channel which is employed in a broadcast mode (CLA 
81: 19-20; PEN 79: 166; TRO 81: 73-74). It is 
superior in fault tolerance (BAS 81: 366); but 
suffers from control problems in the areas of 
synchronization, flow, and error control (HAB 80: 965). 
Furthermore, for reasons of security, it is not 
acceptable. Let us next examine the security appli- 
cable issues. 

In a secure network, a clear audit trail for each 
transmission is required so that message arrivals can be 
verified. Each message should only have on desti- 
nation. With only one destination, security control 
over the traffic is simplified and it is easier to 
identify which messages are lost or inserted without 
authorization (whether or not the cause is from mali- 
cious acts or by spurious system errors). Therefore, 
broadcast modes are not desirable. Because of this and 
related security complications which arise from broad- 
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cast modes of operation, the web network is unacceptable 
Table III-l, derived from the works of Bass, Cl*ark, 
Habara, Penney, Stack, Tropper, and Wolf (BAS 81: 366; 
CLA 81: 19-22; HAB 80: 964-965; PEN 79: 165-166; STA 80: 
83; TRO 81: 7-72, 73-^4 ; WOL 81: 148-150), summarizes 
the attributes of the topologies discussed. 



Table III-l 
Comparison of 

Controlled Network Topologies with Aliases 
Part I 



Network j 
Name 
and 

Aliases 


Advantages 


Disadvantages 


Star 


1) Simplicity 


1) Traffic 




of design 


inef f iciencies 




2) Localization 


due to central 




of damage in 


node 




case of fault 






3) Ease of 


2) Central node 




incremental 


failure shuts 




growth 


down network 




4) Simplicity 






of routing 


3) From a security 




5) Potential 


perspective 




centralization 


central node 




of all security 


vulnerability 




tasks 
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Table I1I-1 
Comparison of 

Controlled Network Topologies with Aliases. 

Part II 



Network 

Name 

and 

Aliases 


Advantages 


Disadvantage s 


Ring 

Loop 


1) Traffic 
ef f iciency 
due to high- 
way capacity 


1) Design 

moderately 

difficult 




2) Short average 
circuit 
length for 
intra-ring 
calls 

3) Good fault 
tolerance 
with multiple 
loops 

£) Good message 
audit trail 

3) Relatively 
few routing 
decisions 


2) Incremental 
growth more 
difficult 
than for Star 


Bus 

Web 

Mesh 


1) High degree 
of fault 
tolerance 


1) Design very 
difficult 




2) High degree 
of 

flexibility 


2) Route 

processing 
dif f icul t and 
further 
compl icat ed 
with security 
controls 
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Topology Decision . This analysis led to the 
decision to opt for sons form of a ring topology^ 

The advantages of ring networks speak for 
themselves. King networks are relatively simple to 
implement, relatively easy to modify (i.e. easy to 
add/delete processing element s/nodes) , have relatively 
low start-up, modification, and maintenance costs (TRO 
61: P p . 8-9, 73), hove a high degree of bandwidth 
efficiency, and, with the advent of multiple-loop ring 
networks, the fault tolerance problems can be overcome 
while minimizing security problems (FAR 81: 133; PEN 79 
172, 228; TRO 81: 53-55; WOL 81: 148-150, 158, 162). 

After deciding which topology to use, the next 
issue to be resolved is what network access control 
scheme to apply. Controlling transmission over a 
network is an important design issue (CLA 81: 19-20). 

When can a user gain access to and control over the 
transmission medium to enter data onto the backbone? 

Network Access Control . 

There are many different network access control 
schemes that are applicable to a r ing . t opol ogy . 

This section presents four of these strategies and 
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discusses which was chosen to gain access onto the 
network ! s transmission medium. The first strategy 
to be examined is known as contention or random 
access. This strategy is most often encountered in 
bus topologies; but it has also been suggested for ring 
topologies (CLA 81: 21; PEN 79: 166). The next three 
are considered the "basic" ring access strategies (BUX 
81: 1465; CLA 81: 20; TRO 81:8). 

Content ion . Thre are many contention 
strategies (TRO 81: 77). In a contention scheme, 
any node wishing to transmit does so. If two (or 
more) nodes transmit simultaneously, a collision 
occurs which will theoretically result in garbled or 
lost transmissions. Therefore, one contention 
control strategy (carrier sense multiple access -- 
CSMA) depends on the node that transmits detecting these 
collisions and, when it does, waiting a random amount of 
time before attempting retransmission. Unfortunately, 
as the number of nodes increases, performance 
deteriorates . 

Also, contention schemes are better suited for 
"bursty" traffic. This is because contention schemes 
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lead to a very low limit on the percentage of channel 
capacity which can be utilized without causing the . 
network to overload (saturate) with retransmission 
traffic (BUX 81: 1470; CLA 81: 20-21; LIS 83: 30; STU 83 
72-76; TAN 81b: 469; TRO 81: 76, 131-133), This 
disadvantage of the contention scheme relates to the 
complexity of the transmit/listen/retransmit if 
collision detected control technique. Over a ring, the 
propagation delay is a limiting factor (SALW 83: 184, 
190) . How long should a node listen for a collision? 

The unidirectional flow of messages from node to node 
provides a natural ordering of all nodes that should 
permit a much lower collision rate (CLA 81: 21). Also, 
a contention scheme could be implemented between each 
pair of nodes to limit the propagation to one hop; but 
then a message that is not destined to an adjacent node 
has to be retransmitted from every intermediate node 
that it must cross. The difficulty of implementing any 
contention scheme is not necessarily warranted if a more 
feasible network access control scheme exists. 

For this model, contention schemes display three 
major disadvantages. The first critical 









d i tadvantage of contention schemes is that they are 
meant to handle primarily "bursty" traffic and not 
the data base transfer transmissions which dominate 
this network. The next disadvantage is the complexity 
of a contention scheme -- when a goal is to keep things 
simple (Chapter 1: Methodology* page 4), complexity is a 

disadvantage. The third undesirable characteristic is 
that security will be complicated by contention 
strategies because of "lost" transmissions. Because of 
these three disadvantages* contention schemes are not 
deemed appropriate for this model. 

Slots . The Pierce loop illustrates the slotted 
ring access strategy (AGR 78; 674-675; BUX 61: 1466- 
1467; PEN 79: 167-168; TRO 81: 8-9. 21-22; VOL 81: 

149). In this strategy, a (one or more) fixed length 
time slot, generated and synchronized by a designated 
supervisory node, continuously circulates around the 
ring. To inform a node whether or not a slot is in use 
("full") or not in use ("empty"), a header is attached 
to each slot. When a node wishes to transmit a message, 
it must wait until an empty slot which it can fill 
reaches it. At that time, the node alters the header to 
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reflect that It Is full and then uses the slot to 



transnit its csessage. The filled slot eventually makes 

Its way back to the node that filled It where It Is 

recognized, captured, and, if there is nothing to 
•• 

transmit, marked empty. If there is more traffic to 
transmit, the slot is reused immediately. It is becaure 
of the ability to immediately reuse a slot that a node 
with a heavy flow of traffic can "hoe" * time slot 
% \ 0 Bis 70). 

The major advantage of this control scheme is that, 
with more than one slot, simultaneous transmission of 
messages can occur (TRO 81: 8-9). This strategy was 
deemed appropriate for this model despite the adverse 
performance characteristics of "loop hogging* 1 . 

Tokens . The token ring access r trategy is 
illustrated by the Newhall loop (AGR 78: 675; BUX 
81: 1465-1466; PEN 79: 167-169, 176; TRO 81: 9, 11; 

VOL 81: 146-149). Permission to transmit is passed 

from node-to-nodc by a circulating token. When a 
node receives the token, it may transmit one 
message. If there is no message to t anstnit, or 
after transmitting one, the token is passed to the 
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next node in the loop* The major advantage of this 
control scheme is that it allows the transmission of. 
variable length messages (TRO 81: 8-9). Kummerle and 
Reiser categorically state that token passing is 
superior over a wider range of parameters than 
contention schemes (KUM 82) which provides greater 
potential long-term utilization. This strategy was 
also deemed appropriate for this model. 

Shift Register Insertion Technique * The shift 
register insertion technique has been applied in the 
distributed loop computer network (DLCN) and also by 
the double distributed loop computer network (DDLCN)* 
According to Tropper, the shift register insertion 
technique has the major advantage of the slot 
(simultaneous transmission) as well as the variable 
message length handling ability of token rings (TRO 
81: 9)* Penney mentions an additional advantage 
which reflects additional reliability* the shift 
register insertion technique has completely 
distributed control of the transmission system (PEN 
79: 170). But it does have the disadvantage of 

additional delays as the message traverses nodes to 
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its destination (TRO 81: 9), This strategy was also 
deemed appropriate for this model. 

Control Decision . To decide among the three 
strategies deemed appropriate, an analysis that 
compared them was required. Fortunately, there are 
several sources each of which compares simulation 
results of at least two of the strategies under 
similar conditions. After reviewing these studies, 
the shift register insertion technique was selected 
as the most appropriate because it displayed 
superior performance (PEN 79: 234-236; TRO 68-72). 

Table III-2 summarizes the information drawn from the 
various sources referenced in this section from the 
standpoint of this model's requirements. 

The next step was to analyze the protocols required 
to meet the model's requirements. 
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Table 1 1 1 -2 

Comparison of Network Control Schemes 
Applicable to this Model 
Part I 



1 Control 
1 Scheme 


Example 
of the 
Scheme 


Advantages S Disadvantages 


Contention 


CSMA 


1) Best for 

bursty 1 

traffic 

2) Flexible 
design 


1 1 ) Can have 

low channel 

capacity 

utilization 

2) Security is 
complicated 

3) Complex 
implementation 


Slot 


Pierce 

Loop 


1) Best for 
packet 

sw itching 

2) Can 
transni t 
messages 
simulta- 
neously 


1) Can display 
"loop 
hogging" 

(TRO 81: 70) 


Token 


Newhal 1 
Loop 


1 ) Can 
transmit 
variable 
length 
messages 

2) Superior 
per f ormance 

to slot 

3) No loop 
hogging 


1 ) Performance 
inferior to 
shift 
register 
insertion 
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Table I 1 1-2 

Comparison of Network Control Schemes 
Applicable to this Model 
Part II 







Control 

Scheme 


Example k 

of the 1 Advantages 

Scheme 1 
19 


Dlsadvan tages 


Shift 

Register 

Insertion 


DLCN 

DDLCN 


1) Can 

t ransmi t 
variable 

2 ) Can 
transmit 
messages 
simulta- 
neously 

3) Control 
c ompl e t e 1 y 
distributed 

4) Best 
overall 

per f orman c e 


1) Additional 
delays upon 
message 

2) Requires 
addi tional 
storage 



Protocols . 

Introduction to Protocols . Protocols are the 
rules and conventions used to control network 
functions. McQuillan and Cerf state that protocols 
are logical abstractions of the physical process of 
communication and they perform three vital tacks: 

1) establish standard data elements, 2) establish 
conventions, and 3) establish standard communication 
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paths (MCQ 76: 2). 

Protocol design is the most critical aspect of the 
model's development. It is here that the procedures 
required to meet various design features are set. If 
the procedures are incorrect* the network will not meet 
its requirements. 

A concensus on protocols has been developed; it is 
found in the International Standardization 
Organization's Reference Model for Open Systems 
Interconnection (ISO OSI). The ISO OSI is presented in 
an introductory fashion in Tanenbaum's '‘Network 
Protocols" and in more detail in his book Compu ter 
Networks pages 10-21. From the ISO OSI, protocols have 
been divided into seven layers. These layers and their 
interrelationship is illustrated by Figure III-2. (For 
further information, refer to the bibliography under 
McQuillan and Tanenbaum. ) 
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Figure 111-2. The Seven-Layer ISO Reference Model. 
Adapted from Tanenbaum's Computer Networks 
(TAN 8 I a : 11, 16). 



The protocols and protocol related decisions 
that this thesis addresses are those that fall within 
the realm of switching method, flow control, 
error/fault detection/correction, internetworking, 
and access/security controls. 
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The transmission medium Is discussed first. Then 
the switching method. This is followed by the flow 
control protocol along with the priority scheme which it 
supports and the manner in which the transmission 
frequencies are divided to make the priority scheme work 
while maintaining two security levels. A discussion of 
the error handling protocols then follows. Finally, a 
discussion of the security protocols is presented. 

The issue transmission medium to be selected is 
presented here because it impacts upon the switching 
method for message control and that in turn will affect 
the transport protocol. (The protocols for the 
physical, link control, and network and application 
levels are not within the scope of this thesis. It is 
assumed that the various standards which have been 
developed for the lower three levels are followed. The 
only point concerning this model is that of link level 
encryption. It is assumed that appropriate equipment is 
available to perform this task automatically and that 
this task is handled adequately.) 

Switching methods are those techniques that affect 



how the various users share the transmission medium. 



The choices considered ere circuit* message* and packet 
switching (MCQ 78: 12). Each of these methods exhibits 

different properties which affect transmission 
efficiencies. Circuit switching establishes an end-to- 
end dedicated path before any data can be transmitted. 
Message switching does not establish this circuit in 
advance; instead the network makes its transmission 
decision at each node for the next hop. Packet 
switching* which is best suited for interactive traffic 
(TAN 81A: 116)* acquires and releases the node-to-node 

link as required. Table III-3 presents a comparison 
of these three methods. 



Table I I I -3 

Comparison of Switching Techniques 



Characterist ics 


Switching Method 
Circuit Message Packet 


Dedicated Connection 


Yes 


No 


No 


Delays w/ Congestion 


No 


Yes 


Yes 


Storage Required 


No 


Yes 


Temporary I 


Transmission Line 


Yes 


Yes 


No 


Monopol i zed 








Speed/Code Conversion 


No 


Yes 


Yes 


Error Control 


No 


Yes 


Some 


Real Time/Interactive 


No 


Maybe 


Yes 


Bursty Traffic 
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Flow controls ensure proper functioning of the 
communication channels with respect to message 
transmission and reception- The main goal of flow 
control is to avoid overloading a node (CLA 81: 29; 

MCQ 78: 24; TAN 81b: 477). Also included in this 
area is the traffic monitor which enforces flow 
controls and which 1) supervises queues and the 
algorithms that permit the entry/exit of messages, 2) 
inserts dummy traffic that disrupts traffic analysis 
by an intruder, 3) checks for lost or unauthorized 
messages, and 4) monitors the loop for transmission 
link breaks/faults. 

An error/fault detection/correction protocol is 
necessary due to the sensitive nature of the 
information to be transmitted by the SLi: and by the 
time sensitivy of the same. Detection and 
retransmission was the obvious solution for two reasons. 
First, there is no need to implement a costly error 
correction process when the transmission medium, fiber 
optics, supports very low error rates making the 
probability of retransmissions due to bit errors very 
slight. Second, security is an overriding concern which 
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is best 6e r v®d by roojrsting retransmissions as required 
instead of at'.eaptinfc c ut r ec t ions . 

The use dx cyclic redundancy code (CRC) checksums 
was the best means of detection over simpler parity 
checking mechanisms that would be inappropriate for 
traffic that must always be correctly interpreted. 
Furthermore CRC is capable of detecting a greater number 
of errored bits (MCQ 78: 23). The parity checking is to 
be implemented at the data link layer. Other parts of 
the error function are required to handle link breaks 
(which is handled in the network layer) and message 
deletions and insertions (which are handled in the 
transport level ) . 

Internetworking is a major concern in this SLN 
since three of its nodes (designated as communications 
or ”C" nodes) serve as gateways to external long haul 
communications networks. As gateways, these "C" nodes 
perform three functions: 

1) network access protocol 
translation/conversion 

2) packet size matching 

3) speed matching and synchronization 

The most complicated function, that of protocol 
translation, was simplified when the Department of 
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Defense (DoD) decided to approach the Internetworking 
Issue by declaring a set of internetworking protocols 
standards for the DoD community's host-to-host data 
communications networks (DOD 82). The Internet 
Protocol (IP) developed by the Defense Advanced 
Research Projects Agency (DARPA) on the ARPANET is the 
DoD internet standard. Interoperability was further 
improved by the DoD declaring the Transmission Control 
Protocol (TCP), to be built above IP, as another 
standard for its host-to-host data communications 
networks (DOD 82). The Air Force followed suit b> 
declaring the same standards for all of its networks 
(USAF 82 ; USAF 83) . 

For complete DoD compatibility, other protocol 
sets to handle terminal (TELNET) and bulk file 
transfer (FTP) applications are required. (The TELNET 
and FTP protocols are built above TCP/IP.) 

Eventually, DoD standards will be established for 
these functions, too. Dr. Stillman (Technical Advisor, 
USAF/SIT) strongly supports this approach; she feels 
that TCP/IP standard protocol sets (and those protocols 
built upon TCP/IP yet to be declared as standards) will 



meet the requirements of at least 95 percent of the 
DoD ' s users (ST1 83) . 

Finally, access/security controls are those that 
perform the necessary and proper checking of a job 
request# These checks include authentication of the 
user, verification that the user is authorized to use 
each requested resource, and a complete mediation 
check which ensures that the user is indeed on all 
the pertinent access rosters for all the resources, 
requested and that the desired resources can be used 
in the requested combination* But the only access 
control protocols which will be examined and 
considered pertinent to the model are checks to see 
that the job is requesting a node which it can access 
and verification of the legality of the priority 
requested* Other security controls are assumed 
properly enforced at the node of origin and re- 
verified at the node of destination. 

Transmission Medium . There are two choices of 
transmission medium. It could either be coaxial cable 
or fiber optics. In the first chapter, the security 
advantages of fiber optics were discussed. In Table 
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II1-4, a comparison of both mediums is presented. Fiber 
optics are the best choice of transclsslon sedlub for 
this SLN. Fiber optics are strongly recommended as the 
transmission medium for this network because of its 
superior elec trosagnetic esanatlon, error rate, tapping, 
and isolation characteristics. It was assumed that this 
recommendation will be followed. 
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Table 1II-4 

Comparison of Coaxial Cable and Fiber Optics. 



CHARACTERISTIC 


Coaxial 

Cable 


F iber 
Optics 


1) Relative cost outlook 






a) currently inexpensive 


Yes 


No 


b) potentially inexpensive 


Yes 


Yes 


2) Small diameter /weigh t 


No 


Yes 


3) Supports frequency division 


Yes 


Yes 


4) Supports megabit 


Yes 


Yes 


transmission rates 






5) Supports extremely high 


No 


Yes 


bandwidths (800M bits/stc) 






6) Supports point-to-point 


Yes 


Yes 


or broadcast operation 






7) Supports integrated services 


Yes 


Yes 


8) Supports encryption 


Yes 


Yes 


9) Relatively immune to noise 


Ye 


Yes 


10) No crosstalk 


No 


Yes 


11) Radio Frequency Interference 


Yes 


No 


12) Electromagnetic Interference 


Yes 


No 


13) Electrical isolation problems 


Yes 


No 


14) Very low error rates 


No 


Yes 


15) Tapping more difficult 


No 


Yes 


16) Bidirectional (HAB 80: 960) 


Yes 


Yes 



One way to more efficiently utilize a 
transmission medium is to apply a multiplexing 
technology. Multiplexing is a method by which more 
than one channel of communication are combined into 
one. The approach selected for this model was 
frequency division multiplexing. 



52 




< 




Frequency division allocates a particular 
section of bandwidth to each channel all of the time 
(MCQ 78: 10). With this scheme, potentially only a 

fraction of the t raf f ic will be intercepted if a tap 
with incomplete frequency coverage does occur. This 
limits the traffic that an eavesdropper can listen to 
and adds a degree of protection against 
unsophisticated intruders. The increased level of 
sophistication required for such a comprehensive 
full-coverage tap can serve as a deterrent to some 
would be intruders. Further complications can be 
added to the unsophisticated intruder by changing the 
frequency assignments at random intervals. For this 
thesis, the medium will be frequency divided in such a 
way that each of the message channels will •* y ort at 
least a six megabit per second transfer rate. This 
is because the size of the data base transfers which 
the SLN must support. Figure 1 1 1 — 3 illustrates how a 
transmission medium that supports a 60 MBPS 
transmission rate could be divided to support two 
security classifications and three message 
prior it ies . 
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Channel A: Flow Control Messages 



Channel 


B: 


Security 


Le ve 1 


i. 


Rou tine 


Channel 


C: 


Security 


Level 


i. 


Overnight 


Channel 


D: 


Security 


Level 


i. 


Immediate 


Channel 


E: 


Unused 








Channel 


F: 


Security 


Level 


2, 


Routine 


Channe 1 


G: 


Security 


Level 


2, 


Overnight 


Channel 


H: 


Security 


Level 


2, 


Immediate 


Channel 


1 : 


Unused 








Channel 


J: 


Unused 









NOTES: 

1) Each channel (there are ten shown) 
supports 6 MBPS. 

2) In a Coaxial cable medium, each channel 
would be bracketed with unused bandwidth 
to decrease crosstalk. This action 
would result in greater fragmentation of 
the unused portion cf the bandwidth that 
would be available for growth. 

3) If the Bandwidth can support it, there 
would be more unused channels for future 
growth of the system. 

4) Refer to Priority Scheme section for 
traffic class definitions (page 58). 

Figure I1I-3. Model’s Frequency Division 
for an 60 MBPS Fiber Optic Medium. 
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Switching Method . The size of the messages on 
this network will range from just a few bits (bursty 
traffic) to 900,000 bits for the data base transfers. To 
avoid retransmission of large data base transfers 
because of errors and due to the fact that most of the 
traffic will be data based transfers, each job request 
will be limited to a fixed-si 2 e transfer block which 
will consist of a hundred thousand bits for data and 
2,400 bits of overhead (100K bits). Because of the size 
of the data base transfers and as a way to divide these 
transfers into frames or blocks which will make these 
long data base transfers more manageable without hogging 
the transmission lines when a higher priority message 
must get through, packet switching was chosen. The block 
size selected equals the size of the average data base 
transfer (expected to be 100,000 bits) plus the overhead 
bits for a header and trailer. It should be noted that 
packet switching will support real time applications as 
well as data storage, partial error control, fast 
speed/code conversion, delayed delivery and multiple 
message addressing (KCQ 76: 12). It is because of this 

functional flexibility that packet switching was chosen 



■ /V 



\< ~ 



l/r\ 



_ I 






\ 









\ O” 






55 




r- 



o 

o 




v 

\ 

s 

A 



for the model. The queues in the SLN must be large 
enough to hold the largest number of blocks that can 
make up one message. 

When a message Is longer than the set block 
size , it is divided into more than one block. These 
blocks are labeled to maintain proper sequencing 
vhen they are reassembled. They are then transmitted in 
order to the next node. Each block is considered and 
handled as if it were an integral and complete message. 
But at the final destination node the blocks are 
reunited by the transport level protocol to form the 
original message. 

Flow Control . Traffic flow must be controlled 
to maintain a coherent pattern of transmission which 
will permit the proper monitoring of traffic in this 
SLN and to eliminate loss of messages due to 
insufficient available buffer space (TAN 81b: 477— 

478). There are several conventions that must be 
established to implement this control. Also, these 
conventions will help create a clear audit trail for 
messages. Some of the conventions are discussed in 
this chapter under sections on error, fault, and 
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security controls 



The first convention in this area is that of 
message acknowledgements. When a message is 
acknowledged , the sending node can delete it from 
its buffer space. If it is not acknowledged after 
some preset delay tine, timeout occurs and it is 
retransmitted. After a predefined number of 
retransmissions, the problem of message loss due to 
a potential security breach arises. Control is, in 
that case, passed over to the security protocols 
which are covered later in this chapter in the 
sections on error control and security protocols. 

Flow control also prevents one IMP from 
flooding another. Therefore, to avoid loss of 
messages due to insufficient buffer space, a 
convention of message credits is established which 
explicitly permit transmission from one node to 
another by informing the transmitting node what the 
receiver's available buffer space is and allowing 
transmission only when that space is sufficiently 
large. This may cause some transmission delay due 
to the wait that may be required while the receiving 



node’s buffer space Is sufficiently large. But this 
was considered a necessary cost to maintain proper 
message audits for security purposes. It seems 
feasible to add the capability of flushing the 
receiving node’s buffer space with some flow control 
message or with fiome control information in the 
header of a message to that node in the case of high 
priority messages* but this was not included in this 
model. It should be noted that implementing this 
buffer flushing capability could result in 
unacceptable message loss. 

A priority scheme is discussed in these sections 
on protocols because it affects message handling. 

Priority Scheme . There will be three non- 
preemptive priority classes within each of the 
security classifications. These classes are, from 
highest to lowest priority, immediate, routine, and 
overnight. A round robin technique will be used to 
address the queue of each of the classifications. 

A job request with immediate priority will have 
first call on the networks resources on a first-come 
first-served (FIFO) basis within the immediate 



class. No request from the lower priority classi* 
fications can be upgraded to this classification. 

Routine jobs will be routed as soon as possible 
with a FIFO gueue discipline. They are subject to 
delays only when an immediate job is present. Jobs 
may not be routine if the data base transfer required 
i6 larger than one half the maximum message size. 

(The request may be routine, but the response may be 
such that the priority will be down graded to 
overnigh t . ) 

Overnight jobs have the lowest priority. 

Messages of this class are released only when jobs 
of the other classifications are not available for 
transmission. Only a very small percentage of all 
the jobs are expected to be classed as overnight. 

From the information provided by Mr. Hoelscher 
(the point of contact for this thesis at HQ ESC), it 
is expected that immediate jobs will occur even more 
infrequently than overnight jobs since only a crisis or 
an emergency will warrant this classification. Routine 
jobs will be dominate in the SLN f s traffic. A few rare 
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jobs will be overnight and will consist of only large 
data base transfers; immediate jobs will be negligible 
in number. 

Figures 111-4 through III-6 illustrate the 
network’s connectivity and the allowable node 
resource requests that may originate at a given 
node. In those figures, the alphabetic character 
"C" refers to a communication nGde which only 
generates job requests and receives answers to these 
requests. The character "A" refers to an 
application node which responds to job requests and 
which may generate requests of its own. There are 
three" communication nodes and four application nodes 
in this SLN. 

Error Control . Dealing with transmission errors is 
important. Without protocols to handle errors, accurate 
communication is not possible (KEN 83; MCQ 78; PEN 79; 
STO 80; TAN 81a; TAN 81b). The reliability of these 
communications can be greatly improved if there is a 
high probability that few if any errors go undetected. 
The protocol primarily responsible with error control 
and reliable link-to-link transmission resides in the 
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data link level. It ha6 been already mentioned that a 
transmission medium with a very low error rate is- 
desireable (Table 111-3). To further improve upon the 
reliability of the communications ar, error detection 
mechanism is then necessary. 

As Tannenbaun explains, errors can be handled in 
two ways (TAN 81a: 126). One strategy is to include 

enough information to the message that allows the 
receiver to deduce if an error has occurred and have the 
message transmitted. Another strategy would be to add 
enough information to not only deduce that an error has 
occurred, but to also correct it. The second strategy 
is not very efficient if the transmission medium 
supports very low error rates. Since the selected 
transmission medium is fiber optics (which supports very 
low error rates), the first strategy was selected (MCQ 
78: 23 ; TAN 81a: 129) . 

The means of detecting the error can be as 
simple as a parity check. But greater reliability 
can be achieved by a cyclic redundancy code (CRC) 

(PEN 79: 227). Therefore, it was assumed that each 
block that is transmitted within the SLN has a 
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trailer which provides enough bits of information to 
implement a CRC scheme at each node. Furthermore, 
due to the need for error free communication, the 
CRC can be supplemented with a simple scheme that 
regards each transmitted block as a rectangular 
matrix of n by m bits. In this scheme, a separate 
parity bit is computed for each column and is 
affixed to tne matrix as an additional row which is 
then transmitted as part of the trailer. In either 
case, the data link protocol is charged with ensuring 
reliable link-to-link communications . 

(A discussion of either the polynomial that would 
be employed for the CRC scheme or how to perform the 
parity scheme is not within the scope of this thesis. 

But a good general discussion of both techniques can be 
found in Tanenbaum's text.) 

Also within this area is the question of what 
should be done if after several transmissions an 
error free communication is not achieved. First, 
the fault protocol at the transmitting node’s network 
layer (which is waiting for an acknowledgement) is called 
to determine if the link between the nodes is not 
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functional. If the determination is a link fault, then 
transmission is attempted on the alternate loop. - If 
that also is not possible, the node so informs all 
linked nodes and each node's table of available paths is 
updated to reflect that no traffic can reach a 
particular node or set of nodes. Also, if the receiving 
node continues to receive a message that it has 
acknowledged and which is still in its buffer, it also 
calls the fault protocol to determine if there is a link 
fault. The availability of two loops increases the 
probability that the nodes will still be linked after 
one or more link faults. If a message is deemed 
undeliverable because the addressee cannot be reached, 
the sender is informed and the message is flushed. (A 
simulation of the fault-tolerance and redundancy aspects 
of the SLN is not covered within this thesis. Wolf's 
work addresses this problem in some detail for a 
distributed double-loop network.) 

If the problem is not a fault, it could be a 
more subtle problem and both the security and 
maintenance people at the SLN would be notified and 
the message would be continuously transmitted until 
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the maintenance people can attempt to check the 
problem out or the message is successfully 
transmitted . 

Security Protocols , The main security 
protocols this thesis is concerned with deal with 
encryption. The link-to-link encryption (implemented in 
the data link layer) is assumed automatic and reliably 
implemented. It is the source host -to-f inal destination 
host encryption (implemented in the transport or 
presentation layer) which provides the necessary 
additional level of security required for the SLN. 

The key used for the link-to-link encryption 
between each pair of nodes protects the entire packet of 
information transmitted. Each packet’s data is also 
encrypted with a code used only between a given source 
and destination node for that security classification 
arid for that particular session. This dual encryption 
technique forces the intruder to know both codes to get 
to the information when it is most vulnerable, during 
transmission. A further enhancement is that these codes 
change periodically, with each session. In this manner, 
an intruder will be limited to the session(s) for which 
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he has all the codes and not all sessions. The remote 
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keying mechanism and the session level protocols. that 
this would entail arc not within the scope of this 
thesis. But the overhead in resources and processing 
time that security forces upon the network iB expected 
to be relatively high. 

The fact that nodes communicate with others at 
particular security levels allows for a design that 
denies the installation of equipment capable of decoding 
the traffic that a node is not allowed to access. 

Thus, each node will have, in addition to the link-to- 
link encryption/decryption machines for each channel, a 
pair of encryption/decryption devices for messages that 
it receives/ transmit s (one set for each security level). 
(It may be possible that one remote keying device serve 
all security levels.) In this model, the maximum number 
of nodes any single node can communicate with is three and 
all them fall under the same security classification. 

Only node C3 communicates in two different security 
levels and only with one node in each case. (Refer to 
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Figures III-5 and I1I-6.) 

Another aspect of security io the need to deny 
the potential enemy reliable traffic analysis. 
Therefore, there is a need to have fake or dummy 
messages in the transmission stream. The security 
protocols will also control the transmission flow of 
dummy messages. 

Dummy Message Control . Whenever there is no 
message to transmit from a security classification 
(remember the round robin aspect of these 
transmissions) and there U available buffer space 
at the next node, a single block with randomly 
generated bits is transmitted to the next node and 
then flushed from the queue immediately. The 
channel is selected by analyzing a random number 
which will control what percentage of the time a 
message should flow in that channel when there is no 
traffic. The header information for this dummy 
message will tell the receiving node that this is a 
trash message so thet it is flushed from the buffer 
immediately. No acknowledgement is required. It is 
suggested that this dummy traffic travel primarily 
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down the immediate priority channels since these 
will normally have the least traffic. The fact that 
there normally is no traffic on these channels would 
indicare reaction to some critical problem. Therefore, 
sending dummy traffic on these channels would deny that 
certainty to a monitoring enemy. 

However, the price of denying traffic monitoring 
with the use of dummy traffic should be analyzed 
further. The impact of this traffic could significantly 
affect throughput of real traffic. Such delays may be 
considered unacceptable while the security risk of 
allowing potential traffic monitoring could be considered 
justified by the responsible authorities. 

Summary of the Model . 

The next three figures present the dual ring 
topology of the model and the required traffic 
connectivity. Figures II1-5 and I1I-6 are specially 
important because they define the logical link by 
allowable security classes among the nodes. There are 
three facts that stand out from those two figures. One 
is that node C2 does not generate any classification 1 
traffic and that node Cl does not generate any 
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classification 2 traffic* The second is that node A1 is 
the only recipient of classification 1 traffic and that 
node A1 cannot process any classification 2 traffic. 

The third and final fact is that only node C3 
communicates in two different security levels and only 
with one "A* 1 node in each case. Then Figure 111-7 
presents a summary of how traffic is processed within 
each of the network's nodes. 





Direction of Flow: 
for the clockwise loop 
for the counterclockwise loop 



Figure II1-4. The Dual Loop Network for this Model. 
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Figure III-5. Allowable Traffic for 
Security Classification 1. 
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Figure 111-6. Allowable Traffic for 
Security Classification 2. 
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Next Node 

Packet Header * Message ID : Packet Sequence ; 

Number of Packets in Message : 
Priority : Destination : 
Security Check Bit 

Message ID * Source Node ID + unique number 
Packet Sequence * Sequence number of packet for 
message rebuilding 

Number of Packets * Total number of packets in 
message for message rebuilding 
Priority * packe t /me ssage priority 

Destination « final destination (node) 

Security Bit * marks net transaction as 
security is checked 

Packet Trailer * CRC : Parity Check Info 
Packet * Header : 100,000 bits data : Trailer 




Figure II1-7. Packet Control at SLN Node, 

Part 1 
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1 (1) : if flow control packet then 

if acknowledgement then erase acknowledged 
packet from buffer and send credit 
packet to neighbor nodes 
else if credit then 

update credits for node affected 

go to I 

if retransmission request then 
get requested packet and go to J 
verify checksum and parity correct 
if detected error and 

retransmission counter > a max count 
then notify nodes of problem 
set notification flag 
reset retransmission counter to 0 
go to 1 

if detected error then 
request retransmission 
add 1 to retransmission counter 
go to 1 

if no error then 

reset retransmission counter to 0 
send acknowledgement packet 
decode HEADER 
go to 2 

(2) : if CRC and parity checks 

and security checked 

and final destination is this node 
and message complete then 
sequence the blocks 
decode the entire message 
go to 3 

else if no error and security checked 

and for this node then 
strip trailer information 
restore in buffer 

go to 1 {* msg not complete *} 

else go to 4 {not for this node *} 



Figure 111-7. Packet Control at SLN Node. 

Part II 
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(3) : send on to computer resources (via DMA) 

overwrite buffer space with O’s and l's of 
the just transferred message 
send credit messages 
go to I 

(4) : recode Header 

(5) : send to proper queue 

within security classification 

(a) : divide message into blocks 

encode message by block 

(b) : compute CRC and parity checks 

attach Trailer to block 
encode Header 

(c) : send to proper queue 

within security classification 

(I) : choose next packet to transmit 

using credit information for that node 
(Round Robin of classification queues^ 

FIFO within queue.) 

if no message to transmit in either queue 
then poll queues 

until interrupted by a message arrival 
or until a message can be sent 

(J) : transmit chosen message on correct channel 

if not retransmission then 

decrease credits of node message sent to 
go to 1 

A head-in required to do band selection is 
available at each node due to the different 
channels to be selected. 



Figure 111-7, Packet Control at SLN Node. 

Part III 
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From the preceding four figures, it can be seen 
that the designed SLN has a dual loop ring topology with 
a store and forward scheme. As transmission medium, the 
SLN uses fiber optics for point-to-point communications. 
The frequency division multiplex technique is applied to 
the medium to provide multiple channels to implement 
multiple security levels. Packet switching with a block 
length equal to header and trailer length plus the 
average data base transfer message length, 100,000 bits, 
is used to handle variable length messages. Block 
length is fixed at 100K bits. This, along with the 
creation of dummy traffic, will hamper traffic analysis. 
Dummy traffic will provide an additional degree of 
security. Acknowledgement and credit conventions have 
been adopted to avoid message losses due to insufficient 
buffer capacity at the receiving node. There ib one 
queue for each classification. Each queue is long 
enough to hold the maximum number of blocks which can 
make up one message. Each queue is ordered according to 
one of three priority classes. When the entire message 
arrives at its final destination, it is decoded. Error 
correction will not be implemented. Instead, correct 
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data reception will be provided with an error detection 
scheme. This error detection scheme will be Implemented 
using both CRC and parity techniques. This combination 
of techniques will yield an extremely low probability of 
missing any errors. It will also help in the detection 
of message stream modification when an intruder is not 
sophisticated enough to properly modify the CRC and 
parity check fields. Additional memory space is 
available at each node to provide a work area for 
decoding the message headers without altering the 
message in the buffer. But when the entire message is 
being decoded, the decyphered text is held in the 
message buffer until it is transfered to the host 
computer. This transfer is performed, for the model's 
purposes, instantaneously using direct memory access. 
Upon completion of the transfer, the area where the 
decoded message resides in the buffer is overwritten 
three times with l's and then three times with O's to 
help provide an additional measure of security. 

Security is maintained during transmission 
through a two level encryption process which combines 
link-to-link as well as session specific source host- 
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to-final destination host encryption. Actions 
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relating to the session level security aspects are all 
ignored because they do not fall within the scope of 
this thesis. How a packet is handled at a node is 
illustrated in Figure II1-7 at the start of this 
chapter's summary. 

With the design of this model complete, the next 
step was to evaluate it. Jackson’s Theorem wi s 
applied to the model to enable an analysis of the 
network’s operation in the environment defined above. 
Chapter IV discusses this analysis and an attempted 
simulation of the model. 
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Chapter IV: The Models Evaluation 



Overview . 

In this chapter, the analysis of the SLN by 
applying Jackson's Theorem is presented. Then, the 
attempted simulation of the network is presented and 
analyzed. Finally, some conclusions are drawn about the 
model . 

Analysis with Jackson 1 s Theorem . 

Simplification of the Model . Jackson's Theorem can 
only be applied if the model meets specific constraints. 
A goal of the simplification was to meet those 
constraints so that analysis using Jackson's was 
possible. Furthermore, the simplification process had 
to maintain the main elements of the designed network's 
traffic pattern to lend credence to the results of the 
analysis. Therefore, to streamline the model, several 
steps were taken to highlight the important traffic 
without seriously affecting the results of any analysis. 

The first step resulted in eliminating from 
consideration the generation of external traffic at all 
of the "A" nodes. This was done simply because it is 
expected that no load will be generated which is not the 
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direct result of requests/traffic received over the "C" 
nodes (HOE 83). 

The next step eliminated the generation of dummy 
traffic. Then* all consideration of traffic which 
would result from an explicit acknowledgement function 
was eliminated. Also, the priority scheme was ignored. 
These three steps were taken to simplify the traffic 
load analysis. It was deemed more important to get a 
gross idea of the model’s behavior before expending 
resources in an effort that could be terminated early 
on through a simple test. 

The fifth and final step was to assume that the 
packets arrive in o r der and are fed directly to the 
host when they arrive at their final destination. 

This simplifies the processing at each node and can 
be implemented through protocols. Furthermore, 
because a very low error rate is expected, all 
transmissions are assumed error free; therefore, no 
packages will have to be retransmitted. 

The result of the five steps was a simpler 
version of the network model which did not alter the 
bulk of the traffic flow and, therefore, did not 
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grossly affect the analysis* But* the performance 
results expected from an analysis of a siuplif ied -model 
by applying Jackson's Theorem will most likely be 
better than those resulting from the application of the 
sane theorem to the complete model. The next major step 
was to see if the model would fit the Jacksonian 
constraints* 

Applying Jackson^ Theorem . An analysis of the 
network was necessary to see how the model was expected 
to behave. As stated in the preceding section, the 
network model was simplified to permit Jacksonian 
analysis. After determining the general expected 
behavior of the network under expected constraints, if 
the results were deemed favorable, follow-on studies 
could then be used to attain greater confidence in the 
network’s design. If the results of the initial 
analysis were found to preclude the success of the 
design, then redirection was possible without having 
wasted efforts in a detailed and microscopic analysis. 
Figure IV-1 is an accurate illustration of the 
simplified version of the network analyzed by using 
Jackson # s Theorem. 
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Figure IV-1. The Network, 

Due to the traffic that the network supports, each 
node is actually composed of four components (refer to 
Figure IV-2) . One component processes classification 1 
traffic that is addressed to that node. Another 
component handles classification 1 traffic that is 
enroute to another node. A third component processes 
classification 2 traffic for that node. The fourth 
component handles classification 2 traffic that is 
addressed to another node. 
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Figure 1V-2 • Nodal Components. 



8G 



/ 
















For ,, C M nodes: 








not for this node traffic 


external 






external 


arrivals ♦ 






**- arrivals 


system 


[i] 


12] 


system 


arrivals ► 




1 

1 


* arrivals 


to next « ( 


2 ► departures 


node 


j from system 

1 


system 


— • m 


i 

i 

i 

CM 


system 


arrivals -► 






M arrivals 


external 






external 


arrivals 






arrivals 


for 


this node traffic 


For "A" nodes: 








not for this node traffic 


system 


— ♦ m 


(2) — - 


S} stem 


arrivals ► 






arrivals 


to next * J 


V 




node 






system 


-—m 


[ 2 ] ■* 


system 


arrivals -- — ► 






+ arrivals 


fc 


>r this node tral 


:f ic 


[1] - Classification 1 


Queue 




(2) «* Classification 2 


Queue 





Figure IV-2. Nodal Components 



The reason for this breakdown is that traffic is 



not uniformly distributed by classification nor is it* 
uniformly distributed by destination. Furthermore, 
traffic that is not destined for a given node is 
processed differently than traffic that is destined for 
that node. This latter traffic has a longer service 
time. Even though the processing tine at the IMP for 
all traffic is roughly equivalent, additional time is 
required for "this node" traffic due to the response 
which is assumed generated for all traffic from the host 
computer connected to that node. This difference in 
service rate affects performance for "this node" traffic. 
Therefore, the network is actually composed of seven 
nodes each with four servers. 

For traffic that is not addressed to a node, a 
fixed, deterministic, processing l me was used to 
reflect the constant time required tor packet handling. 
For traffic that is addressed to a node, each server uses 
an exponentially distributed processing time to which a 
fixed, deterministic time is added. But, to apply 
Jackson’s Theorem, some assumptions had to be made. 



Jackson’s Theorem stated that the joint distribu- 






> 

tion for all nodes factored into the product of each of 
the marginal distributions is given as the solution t-o 
the M/M/m system (KLE 75: 150). This theorem applies to 
open networks of queues with Poisson arrivals, FCFS 
queues, exponential service times, and no saturated 
queues (KLE 75: 149, SAU 81: 80-81). Furthermore, 
thanks to Burke's Theorem, a network of multiple-server 
nodes connected in a feedforward fashion still preserve 
the node-by-node decomposition that makes Jackson's 
Theorem so useful (KLE 75: 149). For this evaluation 
all of the conditions were met or could be assumed as 
met for analytical purposes when the service times for 
all traffic was idealized to exponential service rates. 
The deterministic service rate was added to the mean of 
the expected service rate to yield a new exponential 
service rate. This shifted the mean service rate but 
did not totally ignore their deterministic component. 

Having met the necessary conditions for Jackson's 
Theorem, Table IV-1 was developed presenting the arrival 
rates in terms of the external arrival rates to the 
system and the necessary performance parameters were 
computed (Table 1V-2) . 

*V, 
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Table IV-1 

Mean Arrival Rates for the Simulation 
Using Jackson’s Theorem. 
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Result s . It woe, of course, known that these 



results were idealistic since each node really was a 
single-server and processing tines could be deter- 
ministic depending on the type of traffic being pro- 
cessed. But the careful selection of the parameters 
helped provide confidence in the results of the analysis. 

The computations made for Table iy-2 were based on 
one packet per message* external arrival rate of 0.0001 
messages per millisecond (i.e., G1 * G2 - G3 * 0.0001)* 
a service rate of 0.001 millisecond per packet for "not- 
this-node M t and a service rate of 0.006 milliseconds 
per message for M this node” traffic. This arrival rate 
is considerably faster than the expected and forseeable 
average traffic load for the network of 100,000 bits of 
raw data per second over one "C" node and 50,000 bits of 
raw data per second for each of the other two ”C” nodes 
(HOE 83). This faster rate was chosen to provide 
greater confidence in the results of an analysis 
performed on an idealistic representation of the model. 
The service rates are those expected with the equipment 
that is planned for the actual network’s implementation 
(HOE 83). 
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Table IV-2. Perforoance Paraoeters 
Coaputed Using Jackson's Theorea 
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Fro© the compute t ional result a, it con be Inferred 
that the designed fullblown SLN model should provide 
adequate performance arid process effectively the bulk 
data traffic that characterizes the expected traffic 
load. As Table IV-2 shows* the system is very capable 
of handling traffic at one packet per message with an 
arrival rate of 0.0001 messages (packets) per 
millisecond and a service rate of one message (packet) 
per millisecond. Even If each message was made up of 
more than one packet* the utilization rate (arrival 
rate divided by service rate) would still be less than 
one. As stated earlier* the chosen arrival rate used 
is an extreme case load that is ten to twenty times 
greater than what could be considered within the realm 
of possibility. Yet, at every point, the utilization 
rate is considerably less than one. Therefore, the 
network should be stable and capable of handling a 
heavier traffic load. 

The Simulation and Throughput Performance . 

The simulation should show how throughput is 
affected by different mixes. Factors that 
influence throughput are the error rate and the 
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resulting retransmission , maximum message size* block 
size* medium speed* arrival rates* and service rates at 
the nodes* Arrival and service rates and message 
length are the only variables addressed by the 
thesis; the other variables are left for further 
study* 

Guidance provided by the thesis sponsors limited 
the range of some of these variables (HOE 82; HOE 83). 
All traffic entering the system would be uniformly 
distributed over the three communication nodes. (The 
distribution of the classification of this traffic was 
previously addressed in Figures HI-5 and III-6.) Short 
bursty transmissions and data base transfers would be 
the only type of traffic. The data base transfers 
would range from 50 to 80 percent of all messages. 

Data base transfer traffic is expected to average about 
100,000 bits in length with a range from 100*000 to 
900*000 bits. Three priority classes were generated 
for the model. At least 50 percent of the traffic 
would be routine and traffic for the highest priority 
could be considered rare to non-existent except in a 
crisis . 
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To focus on the network, it was assumed for this 



thesis that each individual host would have its own 
priority scheme and would handle the messages as it 
deemed appropriate. But handling the priority scheme 
was beyond the scope of the analysis performed. Table 
IV-3 shows the areas actually addressed by the 
simulation . 

Table IV-3. Variables Used in the 
Analysis of the Network’s Throughput Performance. 



1) 


Arrival 


rate 


2) 


Service 


rate 


3) 


Message 


length (range: 1 to 10 packets) 



Some areas are left unexamined by the simulation. 

Such areas as the impact of link faults, buffer size, and 
error rates on the SLN's throughput, are left for 
follow-on projects. This simulation concentrates on 
the three areas identified in the preceding table. 

But how are these areas studied? 

Examining Throughput Performance . The 
simulation program implementing the model had to have 
flexible entries for the features listed in Table IV-3 
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to be examined* Runs were performed changing only one 
of those three parameters between executions. To~help 
In the evaluation* the maximum number of packets held in 
each node's buffer for each run was to be kept* as well 
as the number of messages and packets processed at each 
node. This would permit analysis on how variations 
affected results. 

Since the processing of the SLN's traffic 
consumes time and the traffic could not be generated 
in real time* the program had to simulate the passing 
of time. Events are therefore created end processed 
to simulate this passage of time. The program 
implements an event driven simulation. 

The Design Process . Software engineering 
techniques were applied. First, the requirements 
had to be explicitly defined and the functions that 
were to be performed defined and refined until a 
structure chart of modules is fully developed. Most 
of the initial work was spent on the generation of 
what is illustrated in Figure III-7. It was critical 
to know or decide how messages were tc be processed 
at each node so that the network analysis could be 
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determined. General traffic flow requirements were 
defined in Figures III-4, III-5, and III-6. 

After developing the functions that were to be 
performed at each node (which resulted in Figure III- 
7), a chart presenting the functions to be performed 
was drawn. Initially* the functions to be implemented 
included retransmissions and flow control. Then, the 
number and diversity of these functions was limited by 
the problems that arose with the language being used 
to implement the simulation and by the mathematical 
tools available to perform the analysis. After the 
decision was made to restrict and simplify the model, 
the next step was to see how the functions necessary 
to simulate the SLN could be grouped or developed. 

This resulted in Figure IV-3. The technique of 
stepwise refinement was used to get the simulation 
down to a level that could lead to code. From the 
very start, a data dictionary (Appendix C) was 
maintained and every effort was made to use names that 
were meanginful. The names of constants, variables, 
procedures, and functions were made self-explanatory 
whenever possible within the constraints placed on their 
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length by the coapiler end by the programmer's 
additional constraint of avoiding multiple lines Tor 
simple data manipulations. Furthermore, the programmer 
avoided nesting of f, lf M statements to ease debugging. 
This latter constraint could be changed later if code 
optimization were desire-able. 
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Figure IV-3. Functions Performed 
by the Simulation Program* 



It was obvious at the start that there would be 
variable parameters in each run. A parameter 
initialization module had to be the first module which 
had to interact with the user who would input 
parameters. Of special importance was the start time 
for statistics collection since the simulation would 
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have to run some undetermined amount of time to reach 
steady state prior to data collection* This tioe^vas 
to be arbitrarily set and hopefully a reasonable delay 
time would become apparent through tr ial-and-er ror . 

But before any initialisation module was designed, the 
first step taken was to translate che traffic load 
into an event generating algorithm that represented 
it . 

The event generation function was a straight 
forward implementation thanks to the detailed 
information made available on the expected traffic 
load (refer to Chapter 111, especially the sections 
entitled: Overview, Switching Method, Priority Scheme, 

and Summary of the Model). The only hitch in the 
entire algorithm development proce66 va6 the lack of 
random number generators in the chosen language, PASCAL. 
Books by Hillier and Sauer (HIL 73; SAU 81) eventually 
helped by providing formulas for exponential 
distributions. But the cleanest solution was the one 
finally implemented, to use CBAS1C II (Compiler Systems, 
Inc., version 2.0, July 1981) to generate, initially, a 
two thousand entry file of uniformly distributed random 
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nuebers which could then be accessed by the simulation 
program whenever it required a uniformly distributed 
number. (After much t r ial-and-error , the best cycling 
that was achieved for a uniformly distributed pseudo- 
random number generator was every 574 times, this was 
deemed, after consultation with the thesis advisor, 
borderline acceptable. Reading from a file of uniformly 
distributed random numbers was easier to follow for 
purposes of programming and debugging.) 

Next, after developing the event generating algorithm, 
handling of the created event record via a linked-list 
queue was tackled. The queue manipulation function 
was much more difficult. Translating Figures III-4, 

1II-5, and III-6 and Figures IV-1 and IV-2 into code 
was just the beginning. Event insertions and 
deletions, walking the queue, moving events about in 
the queue to simulate the flow of a packet around the 
network to its destination and the integration of 
calls to modules to generate new events as well as the 
insertion of code to trap required data for follow-on 
analysis was not trivial. Fortunately, the decision 
not to include flow and error control traffic 




94 



■ ■ .v *\ a 









V^crviVT 






simplified the implementation* The final program design 
is reflected by the structure chart in Appendix Bf 

The Differences * As Figure IV-1 illustrates, 
several SLN functions discussed in Chapter III were 
not implemented in the simulation* There are six 
important differences which resulted from the 
model’s simplification* The rationale for this 
simplification is discussed in detail at the beginning 
of this chapter. Briefly* the simplifications were 
required to permit analytical validation of the model 
with Jackson’s Theorem. 

The first difference is the lack of external 
traffic generation at the "A" nodes* The next 
difference is the lack of dummy traffic generation. 

The third difference is the lack of an explicit 
acknowledgement function. The fourth difference is 
that packets are assumed to arrive in order and to be 
fed directly to the host when they arrive at their 
final destination. Next, the priority scheme is 
ignored. Finally, the sixth major difference is that 
all transmissions are assumed error free. 

The Problems . As has already been remarked, the 
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simulation was an additional attempt to further 
validate the network model that was designed. 
Unfortunately, the simulation was never completed. 
Several problems hindered the successful execution of 
the simulation. The most critical problem was the 
language chosen for the simulation. 

Language and Machine Decisions . The SLN model 
developed over the preceding two chapters was a severely 
constrained by the chosen simulation environment. The 
simulation was to be performed on a microcomputer to see 
what could be accomplished on a small system. As far as 
could be determined, no network simulation had yet been 
performed on a microcomputer. Performing the simulation 
on a microcomputer would present constraints cn the 
simulated model due to available memory and computing 
power. The choice of language would also affect the 
implementation due to routines available and ease of 
use. A machine and a language had to be chosen. The 
process is presented below. 

The machine desired was a microcomputer with a 
proven processor chip. Other desired characteristics 
were a large main memory and as much easily accessible 
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secondary storage as possible. Finally, the machine had 
to be available for use. 

Because of availability, an Intertec Data Systems 
"Superbrain" Z80A microcomputer with dual 5.25 inch 
single-sided soft-sectored floppy disk drives (each with 
162K useable storage capacity) with 64K RAM was used. 
When that machine shorted out, it was replaced with a 
microcomputer of the same make, but with double-sided 
floppy disk drives. The upgrade in disk storage 
capacity was a definite asset during the development of 
the thesis because of the additional 332K of secondary 
storage . 

Because of software availability, the language 
choices were limited to some form of Basic, C, or 
Pascal. Due to the unstructured nature, non-overlay 
features, and language construct limitations of the 
Basic softwares available, Basic was not chosen. Both C 
and Pascal did not suffer these handicaps. They are 
structured languages and they both support overlays. 
After talks with some members of the faculty and using a 
timely article in ACM Computing Surveys by Alan R. 

Feuer, Pascal was chosen since It was structured, its 
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dynamic storage for link lists was deemed highly 
appropriate for event-driven simulations, and the- 
available compiler was apparently well-documented and 
supports overlays (critical in a RAM constrained 
environment), and this researcher was familiar with 
the language through courses recently completed. 

Once Pascal and the machine were chosen, the 
next phase was to see how code the model and evaluate 
the network^ performance. 

The Languaf ? . The Pascal language supports 
both overlays and recursive calls has a good 
diagnostic package to aid in debugging, is structured, 
and the author had some programming experience in the 
language. But the software did not provide any number 
generator routines and does not provide the programmer 
with a simple and direct capability for direct bit 
manipulation. In retrospect, for this restricted 
memory environment, the bit manipulating capability of 
C was a more important characteristic which should 
have led to it being chosen instead. Besides, C also 
provided several number generator routines. But the 
restrictive memory in itself was not the problem since 
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overlay© could In part offset it by not having the 
entire program in main memory. 

Unfortunately, the most blatant problem during 
the development of this thesis was the language 
chosen. This problem manifested itself in primarily 
two ways. In the first place, overlays were never 
possible. In second place, the debugging package was 
not fully useable. 

Without overlays, the number of functions that 
could be simulated was reduced. This caused 
considerable simplification of the model which in 
itself was not as discomf itt ing as the reason why 
overlays were not performed. After working with 
Pascal for a while, it became apparent that the 
documentation package was not as good as advertised 
and therefore, expected. 

The other major problem was that to use the 
debugger, the program size was drastically limited. 
That may have been solved with overlays, but as 
mentioned above, the documentation was not that easily 
or well understood. In fact, no one was found to 
provide any aid in this area. Thus, overlays were not 
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perforced and the debugger was not available to help 
during the debugging phase. But even if the debugger 
had been available for use, its usefulness was 
severely handicapped by the fact that it could not 
handle real numbers. This severe handicap was not 
discovered until the software development was well 
into the coding phase. A1J in all, it may be best to 
have C as the language for any follow-up work on a 
microcomputer . 

The last related problem was that when the 
simulation program was finally compiled clean, it did 
not execute as expected. This was never resolved 
prior to the thesis effort being terminated. But it was 
the development of a means to handle random numbers that 
caused the single most frustrating period during the 
generation of this thesis. 

The Random Number Generator . The development 
of the uniform random generator was more difficult 
than expected. Several sources presented good 
examples for mini and other large computers, but 
none presented one for a microcomputer. 

Finally, the theory presented by Sauer and 
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Hllller was used to program a number generator. But 
when it was tested, cycling occurred so quickly that, 
its value was questionable, though considered 
acceptable. Finally, after some study and trial-and- 
error, the solution adopted was to generate a uniform 
number file using C-BAS1C II which was then read as 
necessary by the Pascal program. This was quickly 
tested and proved a clean implementation prior to its 
inclusion in the network simulation program. 

Conclusions . 

Application of Jackson’s Theorem validated the 
designed network. Even though the results of this 
analysis are idealistic, the careful simplification 
and streamlining of the model and the judicious 
selection of arrival and service rates provide a high 
degree of confidence in the design’s ability to meet 
its traffic goals . 

As for the simulation program (Appendix A), it would 
be interesting to see the model validated in this manner. 
Definitely, it would behoove whomever desired this SLN 
to have it simulated with as realistic a set of 
constraints as possible before the immense cost of 
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actually developing the network were made. A SLN is 
not an inexpensive system since heavy software costs 
are involved to develop protocols and interfaces which 
are not in existance today* 





102 



Chapter V; Conclusions and Recoroaendations 



Overview , 

As shown in the preceding chapter, the simplified 
version of the designed model should be able to handle 
the projected work load. Based on that analysis, it is 
expected that the more complex model (summarized in 
the last section of Chapter 111) would also meet the 
work load requirements. In any case, the model was 
designed to: 1) effectively process bulk data traffic, 

2) provide a high level of security, and 3) permit 
multiple concurrent transmissions of different 
classifications. In this last chapter, areas for 
further study are presented and some conclusions are 
drawn from the experience of completing this thesis. 

Areas for Further Study . 

There are at least five areas left for further 
study. The five areas discussed below were not fully 
developed within the scope of this thesis, but they all 
deserve additional research and examination. 

In the first place, an attempt to generalize the 
network model for applications more interactive/bursty 
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in nature could result in different design elements. 

Thic researcher believes that the major differences 
between the design of this SLN and one with more bursty 
traffic would be in the area of topology (a web might be 
more appropriate) and network access control (possibly 
contention instead of shift register insertion). 

But* within the framework of this design and ESC’s 
specific constraints, the addition of dummy traffic, of 
new arrivals from the M A M nodes, of flow control 
traffic, of error /reliabil ity traffic (retransmissions), 
and of priority traffic to a simulation for the purpose 
of examining throughput would be of major interest. Of 
course, this would entail successfully developing the 
simulation attempted for this thesis work. In any case, 
the traffic that is potentially the most damaging to 
throughput is the dummy load. It could cause 
unacceptable delays which would require the re- 
examination by higher authorities of its need for 
security . 

A third area would be research into the 
interoperability and interface issues of a SLN and other 
secure and/or non-securc networks. An analysis of 
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TCP/IP and the projected national level long haul 
communicat ions networks like the Defense Data Network 
would be within the scope of such work* 

Another area that deserves ©ore study is that of 
fault tolerance and fault limitation/isolation in both 
physical (hardware) design and in the design of 
protocols* But probably the most intriguing area would 
be in the fifth area, the expansion of the security 
aspects of this thesis* 

The encryption of this model revolves about the 
secure/ trusted generation and distribution of keys and 
their management* This area has been addressed by 
many without, to this researcher’s knowledge as of 
August 1983, an accepted way of doing so. (Accepted by 
this country’s national level security agencies.) Any 
follow-on work in this area could bring great dividends 
to this nation’s security* 

Conclusions * 

The interplay of topology, network access, 
switching method, and flow and error control protocols 
was challenging, extremely enlightening, and definitely 
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interesting. Th«i addition of security constraints 
does cloud the issue of performance, but flexible 
designs with inherently good performance 
characterit ice seem to be best suited for security, 
too. The design process is definitely influenced by 
security issues, especially those which deal with the 
need to limit the electromagnetic emanations of the 
hardware and the need to guard against traffic analysis. 
But, the key to achieving security seems to exist 
primarily within the realm of software access controls 
implemented in the network’s protocol structure (even if 
these protocols are implemented through micro-code). 
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Appendix A: Program Listing 



Pascal /MT+ Release 5.5 

Copyright (c) 1981 MT MicroSYSTEH, Inc. 



Compilation 


of : 


B : WORKG 






Stcst 


Nest 


Source Statement 






1 


0 










2 


0 


{$K1> 






3 


0 


<$K2> 






4 


0 


{$K4> 






5 


0 


<$K7> 






6 


0 


{$K13> 






7 


0 


{ $K14> 






8 


0 


<$K15> 






9 


0 


PROGRAM SLN SIM (INPUT, OUTPUT): 






10 


0 


{ 


CONFIG CONTROL - '04 JULY 1983: VERSION 2G' 


> 


11 


0 


{ 


IMPLEMENTATION OF A 




> 


12 


0 


{ 


SECURE LOCAL AREA NETWORK (A SLN) 




} 


13 


0 


{ 


THIS SIMULATION MODEL WAS DEVELOPFD TO 


MEET 


) 


-14 


0 


{ 


THESIS REQUIREMENTS FOR THE GCS PROGRAM AT 


> 


15 


0 


{ 


THE AIR FORCE INSTITUTE OF TECHNOLOGY 




> 


16 


0 


{ 


ELECTRICAL ENGINEERING DEPT (AFIT/EN) 




> 


17 


0 


{ 


THIS PROGRAM WAS USED TO VERIFY THE RESULTS 


> 


18 


0 


{ 


DERIVED USING JACKSON'S THEOREM IN THE THESIS) 


19 


0 










20 


0 


{AUTHOR: RICARDO G. CUADRCS, CAPT USAF 




) 


21 


0 


{ADVISOR: WALTER D. SEWARD, MAJOR USAF, : 


PhD 


> 


22 


0 


{ 


PROGRAM DATES: 12 FEB 1982 - 24 JULY 


1983 


> 


23 


0 


{ 


ENVIRONMENT : 




> 


24 


0 


{ 


INTERTEC DATA SYSTEMS SUPERBRAIN QD 


) 


25 


0 


{ 


CP/M 2.2 OPERATING SYSTEM 




> 


26 


0 


{ 


DIGITAL RESEARCH PASCAL MT+ VER 


5.5 


) 


27 


0 


{ 


GENERAL DESCRIPTION: 




X 

J 


28 


0 


{ 


GENERATE AN EVENT QUEUE SORTED BY TIME 




} 


29 


0 


{ 


AND INCLUDING NODE AND CLASSIFICATION 


DATA 


> 


30 


0 


{ 


PROCESS THE EVENT QUEUE TO SIMULATE 




> 


31 


0 


{ 


TRAFFIC FLOW 




> 


32 


0 


{ 


COLLECT TRAFFIC DATA 




> 


33 


0 


{ 


TRAFFIC FLOW: COUNTER-CLOCKWISE 


> 




34 


0 


{ 


< 

V 

I 

*-4 

1 

CM 

CO 

1 

V 
> 


> 




35 


0 


{ 


-> 4 - 5 - 6 - 7 -> 


} 




36 


0 


{ 


NODES 1, 2, 3 ARE COMMUNICATION NODES 


> 




37 


0 


{ 


NODES 4, 5, 6, 7 ARE APPLICATION NODES 


) 




38 


0 










39 


0 


{ 


LIST OF PROCEDURES AND FUNCTIONS ## 


> 




40 


0 


{ 


PROCEDURE INITIAL; 01 


} 




41 


0 




{ PURPOSE: TO INITIALIZE VARIABLES, 


> 




42 


0 




{ ASSIGN FILES, AND TO CONTROL FIRST 


) 




43 


0 




{ THREE EVENTS 


) 




44 


0 











A-l 



Stmt Neat Source Statement 






45 

46 

47 

48 

49 

50 

51 

52 

53 

54 

55 

56 

57 

58 

59 

60 
61 
62 

63 

64 

65 

66 

67 

68 

69 

70 

71 

72 

73 

74 

75 

76 

77 

78 

79 

80 
81 
82 

83 

84 

85 

86 

87 

88 

89 

90 

91 



0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 



{ PROCEDURE GENEVENT (SRC NODE: INTEGER): 02 > 



GIVEN THE NODE, CREATE THE 
NEXT EVENT 



{ PURPOSE: 

{ 

< > 

{ PROCEDURE COMMNODE ; 03 ) 

{ PURPOSE: CONTROLS COMM NODE INFO FOR GENEVENT) 

< > 

{ > 

{ PROCEDURE COMMNODE; 03 > 

{ PURPOSE: GIVEN TH TIME, INSERTS AN EVENT IN } 

{ THE PROPER PLACE OF THE EVENT QUEUE > 

< > 

{ PROCEDURE DELEVENT: 05 > 

{ PURPOSE: DELETES AN EVENT FROM THE HEAD OF ) 

{ THE EVENT QUEUE ) 

{ > 



{ PROCEDURE MOVE VENT; 



06 > 



{ PURPOSE: MOVES EVENTS ABOUT THE MODELED NET; > 



HAS ALGORITHMS FOR COUNTERCLOCKWISE > 
TRAFFIC FLOW; AND SERVES AS TRAFFIC > 
CONTROLLER > 

} 



{ PROCEDURE QWALK; 07 > 

( PURPOSE: TO HELP COLLECT QUEUE INFO FOR RUN } 

{ > 

{ PROCEDURE WRAPUP; 08 > 

{ PURPOSE: RUN TERMINATION CONTROL FOR A NORMAL) 
{ CLOSE OF FILES AFTER RUN ) 

{ ) 

( PROCEDURE UFILREAD; 09 ) 

{ PURPOSE: TO READ FROM THE UNIFORM NUMBER FILE) 

{ ) 

{ trw.wxION SRC : REAL; 10 ) 

{ PURPOSE: TO PROVIDE ARRIVAL TIME INFORMATION } 

{ > 

{ FUNCTION SVC : REAL; 11 } 

( PURPOSE: TO PROVIDE SERVICE TIME INFORMATION ) 

{ > 



v v 



A-2 



Scat 

92 

93 

94 

95 

96 

97 

98 

99 

100 

101 

102 

103 

104 

105 

106 

107 

108 

109 

110 

111 

112 

113 

114 

115 

116 

117 

118 

119 

120 

121 

122 

123 

124 

125 

126 

127 

128 

129 

130 

131 

132 

133 

134 

135 

136 

137 

138 

139 



Nest 

0 

1 

l 

1 

1 

1 

r 

l 

l 

l 

i 

l 

l 

l 

i 

l 

l 

i 

l 

l 

i 

l 

l 

i 

l 

l 

i 

l 

i 

i 



Source Stateoent 

CONST { GLOBAL CONSTANTS ) 

CONFIG CONTROL - '04 JULY 1983: VERSION 2G'; 



APJIIVAL_RATE 
SERVICE_RATE 
COMPLETE 
PARTIAL 
LEN1 
LEH2 
LEN3 
LENA 
LEN5 
LEK6 
LEN7 
LEN8 
LEN9 
LENO 

EOF ITNIF 



0.001 ; { IN MSG PER MILLISEC FOR > 
0.003; { ARRIVAL AND SERVICE RATES ) 
'C' { ALL PKTS FOR THIS KSG RCVD) 
'P' {NOT COMPLETE } 
0.500; {LE1J0 : > 
0.750; { GIVES PROBABILITY MSG ) 
0.875; {IS <- #PKTS LONG > 
0.9375; { (0 REPRESENTS 10 PKTS) ) 
0.96875; { THESE VALUES CHOSEN > 
0.984375; { TO MEET REQUIREMENT > 
0.9921875; { THAT MSG BE LEN 1 50Z ) 



0.99609375; { OF THE TIME. 
0.9990234375; 

1.0000000000; 

999.999; {EOF OF UNIFORM DAT FILE) 



) 



FIXED_PROCESS_TIHE « 0.015; 
TYPE EVENTPTR - “EVNTREC; 



EVNTREC 
E_TIME 
AT_NODE 
TO_NODE 
EX_NODE 
CLASS 
C_OR_P 
E NEXT 
END; 



- RECORD 

REAL; {EVENT TIME; SORT KEY ) 
INTEGER; {CURRENT POS: 10-30, 1-7) 
INTEGER; {INBOUND DEST NODE 4-7) 
INTEGER; {OUTBOUND NODAL SINK 1-3) 
INTEGER; {CLASS: 1 OR 2 ) 

CHAR; {COMPLETE (C) OR PARTIAL (P)) 
EVENTPTR; { NEXT EVENT ) 



1 VAR 


DFILE ; 


TEXT; 


1 


UFILE : 


; TEXT; 


1 


{ WORK ELEMENTS FOR MSGS 


1 


WRK E TIME 


REAL; 


1 


WRK AT — NODE 


INTEGER; 


1 


WRK TO NODE 


INTEGER; 


1 


WRK EX_NODE 


INTEGER; 


1 


WRK CLASS 


INTEGER; 


1 


WRK C OR P 


CHAR; 


1 


WRK E NEXT 


EVENTPTR 


1 


{ POINTERS } 




1 


ATPTR, END PTR : EVENTPTR 


1 


HDPTR, TEMP PTR: EVENTPTR 


1 


{ TLMES > 




1 


ELAPS TM : 


REAL; 


1 


START_TIME : 


REAL; 


1 


STOP TIME : 


REAL; 


1 


TLME_HOW : 


REAL; 
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Stmt 

140 

141 

142 

143 

144 

145 

146 

147 

148 

149 

150 

151 

152 

153 

154 

155 

156 

157 

158 

159 

160 

161 

162 

163 

164 

165 

166 

167 

168 

169 

170 

171 

172 

173 

174 

175 

176 

177 

178 

179 

180 

181 

182 

183 

184 

185 

186 

187 



Nest 

1 

1 

l 

1 

1 

l 

1 

1 

1 

r 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

i 

l 

i 

i 

i 

i 

1 

2 
2 
2 
2 
2 
3 
3 
3 
2 
2 
3 
3 
2 
2 
2 
2 
2 
2 
2 

2 



Source Statement 

{ COUNTERS: INDEX CORRESPONDS TO 



'RELATIVE' NODE > 



CLASS 1 CNT 


REAL; 








CLASS 2 CNT 


REAL; 








C STRTSTP 


ARRAY 


J1..7J 


OF 


REAL 


HI VALDES 


ARRAY 


[1..7] 


OF 


REAL 


MAX-IN BUFFER 


ARRAY 


[1 • *7] 


OF 


REAL 


MSGS 


ARRAY 


11. .7} 


OF 


REAL 


PCKTS 


ARRAY 


11. .7) 


OF 


REAL 


P STRTSTP 


ARRAY 


(l. .7] 


OF 


REAL 


SMSGS 


ARRAY 


[1..7J 


OF 


REAL 


SPCXTS 


ARRAY 


(1..7J 


OF 


REAL 



{ MISC VARIABLES } 



ERROR LEVEL 
EVENT_Q_LEN 
IO_STATUS 
LCNT 

MAX PCKTS 

MODULE_NAME 

PCKT_NUM 

PCKTS_IN_HSG 

RDT 

SRC_NODE 
TEMP VAL 
U VALUE 



INTEGER; 

INTEGER; 

INTEGER; 

INTEGER; 

INTEGER; 

ARRAY [1 . .12] OF CHAR; 
INTEGER; 

INTEGER; 

ARRAY (1..20) OF CHAR; 
INTEGER; 

INTEGER; 

REAL; 



{ * * * PROCEDURES AND FUNCTIONS *****) 
PROCEDURE INITIAL; 

VAR LCNT : INTEGER; 

BEGIN 

MODULE_NAME 'INITIAL '; 

WRITELN(' ENTER REMARKS FOR THIS RUN - 20 CHAP'); 
LCNT 1; 

WHILE LCNT O 19 DO BEGIN 
WRITE ; 

LCNT J-LCNT + 1 
END; { END WHILE > 

WRITELN('*' ) ; 

FOR LCNT 1 TO 20 DO BEGIN 
READ (RDT [LCNT] ) 

END; 

READLN; 

WRITELN( 'ENTER MAX NUM OF PCKTS PER MSG - INT'): 
READLN (MAX_PCKTS) ; 

IF MAX_PCKTS > 10 THEN MAX PCKTS 10; 

WRITELN( 'ENTER TIME TO STOP RUN - REAL - SEC'); 
READLN (STOP TIME); 

WRITELN(' ENTER DATA COLLECT START TIME 
- REAL - SEC'); 

READLN (START_TIME) ; 



Stmt 

188 

189 

190 

191 

192 

193 

194 

195 

196 

197 

198 

199 

200 

201 

202 

203 

204 

205 

206 

207 

208 

209 

210 

211 

212 

213 

214 

215 

216 

217 

218 

219 

220 

221 

222 

223 

224 

225 

226 

227 

228 

229 

230 

231 

232 

233 

234 



M M N) N) N) K> N)N)N)N)K>MMN)N)MN)N)NN)MN)WWWWWUWWN)N>N)N)N)N)N3WWWUWWWUWN) 



West Source Statement 

FOR L COT :« 1 TO 7 DO BEGIN {'0' OUT COUNTERS) 



PCKTS [LCNTJ 0.0; 

HI_VALU£S [LCNTJ 0.0; 

MSGS [LCNTJ 0.0; 

MAX IN JHJFFER [LCNTJ 0.0; 
SMSGS [LCNTJ :« 0.0; 

SPCKT3 [LCNTJ 0.0; 

C_STRT$TP [LCNTJ 0.0; 

PjSTRTSTP [LCNTJ :« 0.0 

END; 

EV£NT_Q_LEN 0; 



ERROR_LEVEL 0; {STATUS OK; '9' MARKS PROBLEM > 

CLASS 1_CNT 0.0; 

CLASS2_CNT 0.0; 

{ INITIALIZE QUEUE AND QUEUE POINTERS > 

NEW(HDPTR); 

WITH HDPTR~ DO BEGIN 



E TIME 


- 0.0 


ATJIODE 


- 0; 


TO NODE 


- 0; 


EX NODE 


- 0; 


CLASS 


■ 0; 


C OR P 


- 'O' 


E NEXT 


- NIL 



END; 

ATPTR HDPTR; 

END_PTR HDPTR; 

TEMP PTR HDPTR; 

WRK_E_TDiE 0.0; 

WRK AT_NODE 0; 

WRKJTO NODE 0; 

WRK_EX_NODE 0; 

WRK CLASS 0; 

WRK C_OR_P 'O'; 

WRK_E NEXT NIL; 

ASSIGN(DFILE,'A:RUNDATA.OUT'); 

REWRITE (DFILE); 

ASSIGN(UFILE f 'A:UNIFORM.DAT'); 

RESET (UFILE); 

VRITELN (DFILE ,CONFIG_CONTROL, ' REMARKS « ' ,RDT) ; 
WRITELN (DFILE, 'START ' ,START_TIME, ' ;STOP ' # 

STOPJTIME) ; 

WRITELN (DFILE, ' ARRIVAL ' ,ARR I VALERATE, 

;SERVICE ' , SERVlCE_RATE) ; 

WRITELN (DFILE,' MAX PKTS ',KAX PCKTS); 

WRITELN (DFILE, 'INITIAL , ERROR LEVEL); 

{ GENERATE 1ST 3 ARRIVALS - 1/C NODE > 

WRITELN ( ' GENERATING THE FIRST THREE EVENTS '); 
TIM£_NOW 0.0; 



Sttst 

235 

236 

237 

238 

239 

240 

241 

242 

243 

244 

245 

246 

247 

248 

249 

250 

251 

252 

253 

254 

255 

256 

257 

258 

259 

260 

261 

262 

263 

264 

265 

266 

267 

268 

269 

270 

271 

272 

273 

274 

275 

276 

277 

278 

279 

280 
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Nest Source Statement 

FOR LCNT :■ 1 TO 3 DO BEGIN 
GBNEVENT(LCNT) 

END; { NOW SET TIME TO 1ST ARRIVAL > 

TIME NOW HDPTR~.E TIKE 
END; 

PROCEDURE GENE VENT (VAR SRC_KODE: INTEGER); 

VAR GLCNT: INTEGER; 

BEGIN { ALGO IMPLEMENTS PIG. II-5 6 6 OP THESIS } 
KODULE_NAKE 'CENEVENT 
WRITELN( # IN MODULE JiAHE/ FOR SRC_NODE- 

SRC_NODE) ; 

WRITELN (DFILE ,MODULE_NAME f ERROR_LEVEL , ' # , 

SRC_NODE) ; 

TEMP_VAL SRCJIODE; 

IF SRC_NODE < 10 THEN SRC_NODE SRC_NODE * 10 
ELSE ERROR_LEVEL :« 9; 

IF ERROR__LEVEL <> 9 
THEN BEGIN 
UFILREAD; 

WRK ATJ10DE SRC_NODE; 

IF SRC NODE < 40 THEN WRK EXJNODE TEMP_VAL; 

IF SRC NODE < 40 THEN COMMNODE 



ELSE { SRC NODE > 30 > 
WRKJi_TIME TIME NOW + SVC; 
{ RESPONSE AT APPL > 



UFILREAD; 
IF U-VALUE 


<» 


LEN9 


THEN 


PCKTS 


IN 


MSG 


-9; 


IF 


U-VALUE 


<- 


LEN8 


THEN 


PCKTS 


IN 


MSG 


-8; 


IF 


U-VALUE 


<« 


LEN7 


THEN 


PCKTS 


IN 


MSG 


-7; 


IF 


U-VALUE 


<- 


LEN6 


THEN 


PCKTS 


IN 


MSG 


-6; 


IF 


U-VALUE 


<* 


LENS 


THEN 


PCKTS 


IN 


MSG 


-5; 


IF 


U-VALUE 


<- 


LEN4 


THEN 


PCKTS 


IN 


MSG 


-4; 


IF 


U-VALUE 


<- 


LEN3 


THEN 


PCKTS 


IN 


MSG 


-3; 


IF 


U-VALUE 


<- 


LEN2 


THEN 


PCKTS 


IN 


MSG 


-2; 


IF 


U-VALUE 


<■ 


LEN1 


THEN 


PCKTS 


IN 


MSG 


-1 


ELSE PCKTS_IN_MSG 10; 

IF PCKTS IN MSG > MAX PCKTS THEN 
PCKTS IN MSG MAX PCKTS; 

WRK C OR P PARTIAL; 

FOR GLCNT 1 TO PCKTS IN MSG DO BEGIN 



IF GLCNT - PCKTS_IN-MSG 

THEN WRK_C_OR P COMPLETE; 

4 INSRT(WRK_E TIME) 

4 END { FOR } 

4 END; { IF ERROR_LEEL <> 9 } 

2 WRITELIN('BYE ' ,MODULE_NAME) ; 

2 SRC_N0DE TEMP_VL 

{ SETS SRC_NODE TO ORIGINAL CALLING PARAM } 
2 END; {GENE VENT} 
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Sttat 

231 

282 

283 

284 

285 

266 

287 

288 

289 

290 

291 

292 

293 

294 

295 

296 

297 

298 

299 

300 

301 

302 

303 

304 

305 

306 

307 

308 

309 

310 

311 

312 

313 

314 

315 

316 

317 

318 

319 

320 

321 

322 

323 

324 

325 

326 

327 

328 
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Nest Source Statement 

PROCEDURE COKMNODE; 

BEGIN 

MODULE NAME 'COKMNODE '; 

WRITELN (DPXLE .MODULE HAKE .ERROR LEVEL,' 

SRCJNODE) ; 

WRK_BJTIME TIME NOW + SRC; 

WRK CLASS 1; 

IF TSRC NODE <> 20) AND (UPVALUE < 0*50) 

THEN WRKjCLASS :« 2; 

IF WRKCLASS - 1 THEN BEGIN 
WRKJTOJJODE 4; 

CLASS 1 CNT :• CLASS IjCNT +1.0 
END; 

IF WRK CLASS - 2 
THEN BEGIN 

CLASS 2 CNT CLASS 2 CNT + 1.0; 

WRKJTO_NODB s- 7 
END; 

IF ( (WRK CLASS - 2) AND (UPVALUE < 0.66666667)) 
THEN WRKJTOJJODE 6; 

IF ( (WRKJCLASS - 2) AND (UPVALUE < 0.33333333)) 
THEN WRK_TO_NODE 5 

END; { COMM NODE ) 

PROCEDURE INSRT (VAR TTIME; REAL); 

BEGIN { LINK-LIST IN ASC ORDER BY E_TIME > 
MODULE_NAME 'INSRT '; 

WRITELH (DFILE ,MODULE_NAME , ERRORJLEVEL TTIME) ; 
WRITELN (KODULEJHAME , ERROR_JLEVEL , ' ' .TTIME) ; 
EVENT_Q_LEN EVENT_Q LEN + 1; 

WITH HDPTR~ DO BEGIN 

{ KEEP TRACK OF MAX PCKTS IN BUFFER } 

IF ((AT NODE > 0) A 10) (AT_N0DE < 10)) THEN 
BEGIN 

HI_VALUES[AT_NODE] HI_VALUES[AT NODE] +1.0; 
IF HI_VALUES[AT_NODE] < MAX_IN_BUFFER [AT_NODE] 
THEN 

4 MAX IN_3UFFER[AT_N0DE] HI_VALUES [AT_NODE] 

4 END 

4 END; { WITH ) 

2 IF (HDPTR~.E TIME - 0.0) THEN 

2 BEGIN { LIST EMPTY > 

3 WITH HDPTR~ DO BEGIN 



4 


E TIME 




WRK E TIME; 


4 


AT_NODE 


; - 


WRK_AT_NODE; 


4 


TO NODE 


:• 


WRK TO NODE; 


4 


EX NODE 


:• 


WRK EX NODE; 


4 


CLASS 


:• 


WRK_CLASS ; 


4 


C OR P 


:• 


WRK C OR P; 


4 


E_NEXT 




NIL 


4 


END 
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Stmt 

329 

330 

331 

332 

333 

334 

335 

336 

337 

338 

339 

340 

341 

342 

343 

344 

345 

346 

347 

348 

349 

350 

351 

352 

353 

354 

355 

356 

357 

358 

359 

360 

361 

362 

363 

364 

365 

366 

367 

368 

369 

370 

371 

372 

373 

374 






Meet 



Source Statement 
END 
ELSE 

IF TTIME < RDFnr.n_TXME THEN 
BEGIN { INSERT AT HEAD OF LIST } 



HEW (TEMP PTR) 


• 

1 


WITH TEMP PTR 


"* DO BEGIN 


E TIME 


:« 


WRK E TIME; 


AT NODE 


:■ 


WRK AT NODE 


TOJiODB 


:• 


WRK TO NODE 


EX NODE 




WRK KX NODE 


CLASS 


:« 


WRK CLASS; 


C OR P 


:■ 


WRKJM)R_P; 


E NEXT 


:• 


HDPTR 


EOT; 







HDPTR :• TEMP PTR 
EOT 

ELSE BEGIN { INSERT AFTER START OF THE LIST } 
ATPTR HDPTR; 

WHILE TTIME >- ATPTIT . E_N2XT~ . E_T LME DO 
ATPTR ATPTR"* • EJNEXT ; { END WHILE } 

NEW(TEMP_PTR) ; 

WITH TEHPJPTR"* DO BEGIN 

WRK_E_TIME; 

WRK_AT NODE; 

WRK_TOJRODE; 

WRKJEX NODE; 

WRK CLASS; 

WRK_COR_P ; 

ATPTR - **. E NEXT 



E TIME 
AT_NODE 
TO NODS 
EXJNODE 
CLASS 
C OR_P 
E__NEXT 
EOT; 

IF TTIME >- END_PTR~.E_TIME 
THEN ENDJPTR TEMP PTR; 

ATPTR"* . E NEXT TEMP_PTR 

EOT 

END; (INSRT) 



:■ 



PROCEDURE DELEVENT; 

BEGIN 

{SHOULD ONLY BE DELETING FROM THE HEAD OP THE LIST) 
MODULE_NAME :• 'DELEVENT 
WRITELN(DFILE t MODULE_NAME, ERROR_LEVEL) ; 

IF ((HDPTR"\AT_NODE > 0) AND (KDPTR~.AT NODE < 10)) 
THEN HI_VALUES[RDPTR"*.AT_NODE] - 1.0; 

IF HDPTR"*. E_N EXT - NIL THEN BEGIN 
HDPTR"*. AT_HODE 0; 

HDPTR"* • AT_T IME 0.0 

END 



Stmt 

375 

376 

377 

373 

379 

380 

381 

382 

383 

384 

385 

386 

387 

388 

389 

390 

391 

392 

393 

394 

395 

396 

397 

398 

399 

400 

401 

402 

403 

404 

405 

406 

407 

408 

409 

410 

411 

412 

413 

414 

415 

416 

417 

418 

419 

420 

421 
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Nest Source Statement 
ELSE BEGIN 

ATPTR :« HDPTR" .E NEXT; 

DISPOSE (HDPTR); 

HDPTR :« ATPTR 
END; 

EVENT QJLEN :® EVENT Q_LEN - 1 
END; < DELE VENT) 

PROCEDURE MOVE VENT; 

VAR LCNT : INTEGER; 

BEGIN 

{ CHECK FOR ARRIVAL AT COMM TO GENERATE NEW ONE ) 
MODULE JNAME 'MOVEMENT '; 

WRITELH (DFILE f) MODULEJNAME * ERRORJLEVEL, # ' , 

HDPTR". ATJNODE) ; 

WRITELN (MODULEJ1AME > ERROR_LE VEL % 

HDPTR". AT_NODE) ; 

LCNT 0; 

CASE HDPTR". ATJ20DE OF 
10 : LCNT :« 1; 

20 : LCNT 2; 

30 : LCNT 3 

END; 

WRITELN (MODULE JJAME t ERROR_LEVEL, ' ' ,LCHT) ; 

IF LCNT <> 0 THEN GENEVENT(LCNT) ; 

IF ((TIMSJiOW < STOPJTIME) AND 
(TIMEJIOW >« START JTIME)) 

THEN BEGIN 

TEMP VAL HDPTR".AT_NODE; 

IF TEMP VAL >- 10 
THEN BEGIN 

TEMP_VAL (TEMP VAL DIV 10); 

PCKTS [TEM_VAL] :« PCKTS [TEM_VAL] +1.0; 

IF ( HDPTR". C_OR_P - COMPLETE) THEN 

MSGS[TEM_VAL) MSGS [TEM_VAL) + 1.0 
END 

END; 

WITH HDPTR" DO BEGIN 
{ MOVE TO NEXT NODE > 

IF ( (ATJNODE *» 7) OR (AT_NODE - 70)) 

THEN ATJ10DE 1 

ELSE 

IF ((AT_NODE > 0) AND (AT_NODE < 7 )) 

THEN ATJ?0DE ATJNODE + 1; 

IF (ATJNODE > 9) AND (AT_NODE < 70 )) 

THEN ATJNODE ((ATJNODE + 10) DIV 10) 

END; { WITH ) 






>tEt 


Rest 


Source Stateoent 


422 


2 


IF HDPTPr.AT NODE <> ED PUT. TO NODE 


423 


2 


THEN { TEAT ENTRY AND CREATE A NEW ONE > 


424 


2 


BEGIN 


425 


3 


WRK E TIME :«= RDPTR^.E TIME + 






FIXED PROCESS TIKE; 


426 


3 


WRK AT NODE :• BDFTR^.AT NODE; 


427 


3 


WRK TO NODE EDPTfT.TO NODE; 


428 


3 


WRK LX NODE HDPTR^.EX NODE; 


429 


3 


WRK CLASS ED PITT .CLASS; 


430 


3 


WRK CJQR_P HDPTR~.C OR P; 


431 


3 


INSRT(WRX_EJTIME) 


432 


3 


END { <> ) “ 


433 


3 


ELSE 


434 


2 


IF HDPTPr.AT NODE - HDPTTT .TO NODE 


435 


2 


THEN { ARRIVED TO APPLICATION SINK ) 


436 


2 


BEGIN 


437 


3 


IF HDPTTT.C OR P ■ COMPLETE THEN 


438 


3 


BEGIN 


439 


3 


WRK E TIME HDPTP/\E TIME; 


440 


4 


WRK AT NODE RDPTTT .AT NODE; 


441 


4 


WRK TO NODE HDPTR~.Bf NODE; 


442 


4 


WRK EX NODE HDPTR^.EX NODE; 


443 


3 


WRK CLASS HDPTR~. CLASS ; 


444 


4 


GENE VENT (WRK AT NODE) 


445 


4 


END { COMPLETE > 


446 


4 


END; { - APPLICATION NODE ARRIVAL ) 


447 


2 




448 


2 


IF ((TIME NOW < STOP TIME) AND 






(TIKE NOW >- START TIME)) 


44" 


2 


THEN BEGIN 


450 


3 


IF ( (HDPTR^.AT NODE « HDPTR^.EX NODE) OR 


451 


3 


(HDPTR^.AT NODE - RDPTR^.TO NODE)) 


452 


3 


THEN BEGIN 


453 


4 


SPCKTS[HDPTR~.AT_NODE) 

SPCKTS [HDPTR^.AT NODE) +1.0; 


454 


4 


IF RDPTR~.C OR P - COMPLETE THEN 


455 


4 


SMSGS [RDPTR^.AT NODE) 

SMSGS (EDPTR~.AT_NODE) +1.0 


456 


4 


END 


457 


4 


END; 


458 


2 




459 


2 


IF ((HDPTTT.AT NODE - HDPTR^.EX NODE) OR 


460 


2 


( (HDPTR^.AT NODE - RDPTR~ .T0_N0DE) OR 


461 


2 


( (HDPTR^.AT NODE <> HDPTTT .TO_NODE) ) 


463 


2 


THEN DELEVENT 


463 


2 


ELSE ERROR — LEVEL 9; 


464 


2 




465 


2 


TIME NOW HDPTR^.E TIME 


466 


2 


END; { MOVE VENT) 


467 


1 
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469 

470 

471 

472 

473 

474 

475 

476 

477 

478 

479 

480 

481 

482 

483 

484 

485 

486 

487 

488 

489 

490 

491 

492 

493 

494 

495 

496 

497 

498 

499 

500 

501 

502 

503 

504 

505 

506 

507 

508 

509 

510 
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Heat Source Statement 

1 PROCEDURE QWALK; 

1 VAR LOOT : INTEGER; 

BEGIN 

MODULE MAKE 'QWALK '; 

WRITELN (KODULE_NAME , ERROR 
WRITELN (DFILE .KQDULEJJAME . ERROR_LEVEL) ; 

ATPTR EDPTR; 

LOOT 0; 

WHILE ATPTR~. EJJEXT <> NIL DO 
BEGIN 

LCNT LCNT + 1; 

WITH ATPTR~ DO; 

BEGIN 

IF ( (ATJNODE > 0 ) AND (AT_KODE < 10) > THEN 
IF (CJ0R_P - COM LETE) THEN 
CJSTRTSTP [AT NODE) :« 

C STRTPSTP [AT NODE) + ) .0 
ELSE P STRTPSTP [AT RODE) :« 

p_strtpstp[at"rode) + 1.0 

END { WITH > 

END; { WHILE <> NIL ) 

WRITELN(DFILE/LCNT '.LCNT/ Q_LEN - 

EVENT_Q_LEN) ; 

FOR LCNT :■ 1 TO 7 DO BEGIN 

HI_VALUES[LCNT] : - P-STRTSTP [LCNT) ; 
MAX_IN_BUFFER[LCNTJ : HI VALUES [LCNT] 

END { FOR ) 

END; { QWALK ) 

PROCEDURE WRAPUP; 

VAR LCNT : INTEGER; 

BEGIN 

{ WRITE OUT TO DFILE THE SIM DATA DESIRED ) 
QWALK; 

ELAPS TM TIME_NOW - STARTJTIME; 

WRITELN (DFILE ,'ERROR_LEVEL - '.ERROR LEVEL); 
WRITELN (DFILE /DATA COLLECTED FOR '.ELAPS_TM, 
SEC; TIME NOW - '.TIME_NOW); 

FOR LCNT 1 TO 7 DO BEGIN 
WRITELN ('IN WRAPUP AT NODE 9 '.LCNT); 

WRITELN (DFILE, 'AT NODE # '.LCNT); 

WRITELN (DFILE, ' STOP STATUS: MSGS - '. 
C_STRTSTP (LCNT) ) ; 

WRITELN (DFILE/ PCKTS - ', 

P_STRTSTP [LCNT] ) ; 

WRITELN (DFILE ,'MSGS GENERATED - ', MSGS [LCNT] ; 
WRITELN (DFILE /PCKTS GENERATED - ' .PCKTS [LCNT) 
WRITELN (DFILE, 'BUFFER USED - '. 

MAX_IN BUFFER [LCNT]) 

3 END; 
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Stmt 


Neat 


Source Statement 


511 


2 


WRITELN (DFILE , ' EVENT QUEUE LEN AT STOP TIME - ', 
EVENT Q_LEN); 


512 


2 


CLOSE (UFILE, 10 STATUS); 


513 


2 


IF 10 STATUS - 255 

THEN WRITELN ( ' ERROR IN UFILE CLOSURE' ) 


514 


2 


ELSE WRITELN ('UFILE CLOSED'); 


515 


2 


CLOSE (DFILE, 10 STATUS); 


516 


2 


IF 10 STATUS - 255 

THEN WRITELN ('ERROR IN DFILE CLOSURE') 


517 


2 


ELSE WRITELN ('DFILE CLOSED') 


518 


2 


END; {WRAPUP) 


519 


1 




520 


2 


PROCEDURE UFILREAD; 


521 


1 


BEGIN 


522 


2 


MODULE NAME :« 'UFILREAD '; 


523 


2 


WRITELN ( ' * * ^ENTERING ', MODULE NAME); 


524 


2 


READ(UFILE,U VALUE); 


525 


2 


IF U VALUE - EOF UNIF THEN BEGIN 


526 


3 


RESET (UFILE); 


527 


3 


READ (UFILE, U VALUE) 


528 


3 


END; { IF } 


529 


2 


WRITELN( '* * * * * EXITING ' ,MODULE_NAME) ; 


530 


2 


WRITELN (DFILE, MODULE NAME, ERROR LEVEL, 

' U VALUE :- ',U VALUE) 


531 


2 


END; 


532 


1 




533 


1 


FUNCTION SRC : REAL; 


534 


1 


VAR INT RESULT: REAL; < SRC /COMM NODE ARRIVALS > 


535 


2 


BEGIN { RETS VALUE FROM EXPONENTIAL DIST. > 


536 


2 


UFILREAD; 


537 


2 


INT RESULT :- -( (ARRIVAL RATE) * (LN( 1 .0 - U VALUE))); 


538 


2 


IF INT RESULT <-0-0 THEN BEGIN 


539 


3 


WRITELN ('****ERR0R IN SOURCE ***'); 


540 


3 


ERROR_LEVEL 9 


541 


3 


END 


542 


3 


WRITELN (DFILE, 'SRC READ ' , INT_RESULT , ' ' ,EI_.0R LEVEL) 


544 


2 


END; { END OP SRC ) 


545 


l 




546 


1 


FUNCTION SVC : REAL; 


547 


1 


VAR INT RESULT: REAL; { SERVICE RATE W/SKEW-TIME) 


548 


2 


BEGIN { RETS VALUE FROM EXPONENTIAL DIST. > 


549 


2 


UFILREAD; 


550 


2 


INT RESULT -( (SERVICE RATE)*(LN( 1 .0 - UPVALUE))); 


551 


2 


IF INT RESULT <- 0.0 THEN BEGIN 


552 


3 


WRITELN ('*** ERROR IN SERVICE ***'); 


553 


3 


ERROR LEVEL :« 9 


554 


3 


END 


555 


3 


ELSE SVC INT_RESULT + FIXED PROCESS TIME; 


556 


2 


WRITELN (DFILE, 'SVC READ ' , INTJRESULT , ' ' ,ERROR_LEVEL) 


557 


2 


END; { END OF SVC > 
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StBC Hast 

558 1 

559 1 

560 1 

561 1 

562 1 

563 1 

564 1 

565 1 

566 1 

567 1 

568 1 

569 1 

570 2 

571 2 

572 2 

573 1 

574 1 

575 1 



576 1 

577 1 

578 1 

579 1 

580 2 

581 2 

5S2 2 

583 3 

584 3 



585 3 

586 3 

587 1 

588 1 

589 1 



590 1 

591 1 

592 1 

593 1 

594 1 

595 1 

596 1 

597 1 

598 1 

598 0 

598 0 



Source Statement 

{***********<»***********} 
BEGIN (MAIN-DRIVER) 

INITIAL; 

WRITELN ('ERROR LEVEL :« ' , ERR0R_LEVEL, 

' AFTER INITIAL'); 

WRITELN(DPILE, 'ERROR LEVEL ' , ERROR_LEVEL , 

' AFTER INITIAL'); 

WRITELH ( ' * ***** ** ******** MAIN1' ) ; 

IP ERROR_LEVEL - 9 TEEN TIME NOW 9.60E+15; 

WHILE (TIME NOW < START_TIKE) DO 

WHILE (TIME_NOW < KDPTR~.E_TIKE) DO 
BEGIN 
KOVEVENT; 

IP ERROR LEVEL 9 THEN TIME NOW 9.60E+15 
END; { TIME_NOW < HDPTR“. E-TIME > 

{ END WHILE TIME_NOW < START_TIME } 

VRITELNC' IN MAIN AFTER SET-UP; ERROR LEVEL - ' 

,ERROR_LEVEL) ; 

WRITELN (DFILE , ' IN MAIN AFTER SET-UP;ERROR LEVEL - ', 
ERRORJLEVEL) ; 

WRITELN ('* ************** MAIN2'); 



IF TIHE_NOW <> 9.60E+15 THEN BEGIN 
QWALK; 

WRITELN (DFILE, 'START TIME STATUS: '); 

FOR LCNT 1 TO 7 DO BEGIN 
WRITELN (DFILE, 'AT NODE # ' ,LCNT) ; 

WRITELN (DFILE,' MSGS: ' ,C-STRTSTP [LCNT] , 

' PCKTS : ' ,P_STRTSTP [LCNT] ) 

END ( FOR LOOP } 

END; { TIME_NOW <> 9.60E+15 ) 

WRITELN ('IN MAIN READY TO START UP ', ERROR LEVEL); 
WRITELN (DFILE, 'IN MAIN READY TO START UP ', 

ERROR_LKVEL) ; 

WRITELN('* ************** MAIN3' ) ; 



WHILE (TIME_NOW < STOP_TIME) DO 

WHILE (TIME NOW < HDPTR~.E_TIME) DO MOVEVENT ; 
{ END WHILE TIME_NOW < STOP_TIME ) 

WRAPUP; 

WRITELN (' DONE ') 

END . ( END OF THE PROGRAM > 



Normal End of Input Reached 
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Appendix B: Structure Chart 



MAIN-ROOT/DRXVP.a | 

. 0| 

I 

I 






1 


INITIAL 


| MOVE VENT | 


1 


1. 


1 1 1 


1.2| 




i 




1 1 1 




i — 


> 1 < 1 

1 


1 1 1 
1 1 




i 


1 

GENEVKNTI 


1 1 
1 1 




i 


2.1 I 


1 1 






1 1 


1 1 






I 1 


1 1 






1 1 — 




1 1 1 1 
1 1 1 1 


| Function | 


i i 


COHKNODE | 


| INSRT | 


| SVC OR SRC | 


i i 


3-31 


1 3^41 


1 3.1 3.2| 


i 






1 


i 






| 


i 






1 

| UFILREAD 


1 




| 


4.1| 





QWALK | 

2.2 I 



-I 

I 

I 



WRAFUP | 
1-3 | 

I 

-I 



| DELEVENT | 
I L1J 



Appendix C: Data Dictionary 





TRAFFIC PLOW: COUNTER-CLOCKWISE 

V<-3-2-l — < ~ 

— >4 — 5 — 6 — 7 — > | 

BODES 1, 2, 3 ARE COMMUNICATION NODES 
NODES 4, 5, 6, 7 ARE APPLICATION NODES 

PROCEDURES AND FUNCTIONS i.t 

1. PROCEDURE INITIAL: 1.1 

PURPOSE: TO INITIALIZE VARIABLES, ASSIGN 

FILES, AND TO CONTROL 1ST 3 EVENTS 

2. PROCEDURE GENEVENT(SRC NODE: INTEGER); 2.1 

PURPOSE: GIVEN THE NODE, CREATE THE NEXT EVENT 

3. PROCEDURE COMMNODE: 3.3 

PURPOSE: CONTROLS COMM NODE INFO FOR GEN EVENT 

4. PROCEDURE INSRT ( (TIME: REAL); 3.4 

PURPOSE: GIVEN TH TIKE, INSERTS AN EVENT IN 

THE PROPER PLACE OF THE EVENT QUEUE 

5. PROCEDURE DELEVENT: 5.5 

PURPOSE: DELETES AN EVENT FROM THE HEAD OF 

THE EVENT QUEUE 

6. PROCEDURE KOVEVENT: 1.2 

PURPOSE: MOVES EVENTS ABOUT THE MODELLED NET; 

HAS ALGORITHMS FOR COUNTERCLOCKWISE 

TRAFFIC FLOW; AND SERVES AS TRAFFIC 

CONTROLLER 



7. PROCEDURE QWALK: 2.2 

PURPOSE: TO HELP COLLECT QUEUE INFO FOR RUN 

8. PROCEDURE WRAPUP; 1.3 

PURPOSE: RUN TERMINATION CONTROL FOR A NORMAL 

CLOSE OF FILES AFTER RUN 

9. PROCEDURE UFILREAD; 4.1 

PURPOSE: TO READ FROM THE UNIFORM NUMBER FILE 

10. FUNCTION SRC : REAL; 3.1 

PURPOSE: TO PROVIDE ARRIVAL TIME INFORMATION 

11. FUNCTION SVC : REAL; 3.2 

PURPOSE: TO PROVIDE SERVICE TIME INFORMATION 



CONSTANT 

GLOBAL 

ARRIVALJRATE- 0.0001; { IN MSG PER MILLISEC FOR ) 

COMPLETE - 'C' { ALL PKTS POR THIS MSG RCVD ) 

CONPIGjCONTROL - LITERAL ALTERED BY MANUALLY TO TRACK 
PROGRAM VERSION 

EOFJUNIF - 999.999; { EOF OF UNIPORM_DAT FILE ) 

FIXED_PROCESS_TIHE - 0.015; 




C-l 



LEN1 


a* 


0.500; 


{ 


LEN# s 


) 


LEN 2 


m 


0.750; 


{ 


GIVES PROBABILITY HSG 


} 


LEN 3 


m 


0.875; 


{ 


IS <- #PKTS LONG 


> 


LEN4 


m 


0.9375; 


{ 


(0 REPRESENTS 10 PKTS 


} 


LENS 


m 


0.96875; 


< 


THESE VALUES CHOSEN 


) 


LEN 6 


m 


0.984375; 


{ 


TO MEET REQUIREMENT THAT 


> 


LEN 7 


m 


0.9921875; 


{ 


MSG BE LEN 1 50Z OF TIME 


•> 


LENS 


m 


0.99609375; 








LEN 9 


m 


0.9990234375; 






LENO 


m 


1.0000000000; 






PARTIAL 


a* 


'P'; 


{ 


NOT COMPLETE 


> 


SERVICE RATE 


- 0.003; 


{ ARRIVAL AND SERVICE RATES 


> 



TYPE 



EVENTPTR 
EVENTRKC 
EJC1KE 
ATJIODE 
TOJJODE 
EXJiODE 
CLASS 
CjOR P 
ERNEST 
END; 



- ~EVNTREC; 

» RECORD 

REAL; 



{ EVENT TIKE; SORT KEY } 
INTEGER; { CURRENT POSITION: 10-30, 1-7) 
INTEGER; { INBOUND DESTINATION NODE 4-7) 
INTEGER; { OUTBOUND NODAL SINK 1-3) 
INTEGER; { CLASSIFICATION: 1 OR 2 > 

CHAR; { COMPLETE (C) OR PARTIAL (P)> 
EVENTPTR; { NEXT RECORD/EVENT > 



VARIABLES 

COUNTERS: INDEX CORRESONDS TO 'RELATIVE' NODE 

CLASS 1_CNT : REAL; {HUM MESSAGES ENTERING THE > 

CLASS 2 CNT : REAL; { NETWORK FOR A GIVEN CLASS) 

{ARRAYS TO STORE NODAL INFO:) 

{COMPLETE MSGS) 
{TEMP FOR MAX) 
{MAX PCKTS) 
{TOTAL SEEN) 
{TOTAL SEEN) 
{PARTIAL MSGS) 
{MSGS FROM A) 
{PCKTS FROM A) 



C STRTSTP 


ARRAY 


11. .7] 


OF 


REAL 


HI VALUES 


ARRAY 


11. .7] 


OF 


REAL 


MAX IN BUFFER 


ARRAY 


[1..7] 


OF 


REAL 


MSGS 


ARRAY 


11* *7| 


OF 


REAL 


PCKTS 


ARRAY 


I 1. .71 


OF 


REAL 


P STRTSTP 


ARRAY 


11. .71 


OF 


REAL 


SMSGS 


ARRAY 


11. .7] 


OF 


REAL 


S PCKTS 


ARRAY 


11. .7] 


OF 


REAL 



FILES 

DFILE 

UFILE 

MISC VARIABLES 

ERROR JLEVEL 
EVENT_QJLEN 
IO_STATUS 
LCNT 

MAX PCKTS 
MODULE_NAME 
PCKT_NUM 
PCKTS IN_MSG 
RDT 



TEXT; { STATISTICS /DEBUF FILE) 
TEXT; {UNIF-RAND FILE) 



INTEGER; { 0 - OK; 9 - ABORT RUN } 
INTEGER; {TO DETERMINE MAX_IN_BUFFER) 
INTEGER; { USED IN CLOSE CMD ) 

INTEGER; { GENERAL PURPOSE COUNTER ) 
INTEGER; { LIMITS MSG LEN ) 

ARRAY [1..12J OF CHAR; { DEBUG RMKS ) 
INTEGER; { USED IN MSG GENERATION } 
INTEGER; { USED IN MSG GENERATION ) 
ARRAY [1..20] OF CHAR; { RUN REMARKS } 
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:^r v.-vr-j 



-. V V.' •_* 




SRC__NODE 
TEM VAL 
U VALUE 



INTEGER; { USED IK MSG GENERATION > 
INTEGER; {GENERAL PURPOSE TEMP HOLD > 
REAL; { RESULT OF READ FROM U7XLE > 



POINTERS 

ATPTR, ENDJPTR: 
HDPTR, TEM PTR: 



EVENTPTR; 

EVENTPTR; 



TIMES 



ELAPS TM : 


REAL; 


START TIME : 


REAL; 


STOP TIME : 


REAL; 


TIME NOW : 


REAL; 



{ ELAPSED TIME ) 

{ START DATA COLLECTION } 

{ STOP DATA COLLECTION > 

{ CURRENT SIMULATION CLOCK TIME > 



WORK ELEMENTS FOR MESSAGES 
WRK_E_jnME : 
WRK_\T NODE : 

WRK TO_NOD£ : 
WRK_EX_NODE : 
WRK_CLASS : 

WRK CJDR_P : 

WRK E NEXT : 



REAL; 

INTEGER; { CURRENT POSITION: 10-30, 1-7) 
INTEGER; { INBOUND DESTINATION NODE 4-7} 
INTEGER; { OUTBOUND NODAL SINK 1-3} 
INTEGER; { CLASSIFICATION: I OR 2 } 

CHAR; { COMPLETE (C) OR PARTIAL (P)} 
EVENTPTR; 
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